Deciding Validity for an Ambient Logic - Semantic Scholar
Deciding Validity in a Spatial Logic for Trees Cristiano Calcagno Imperial College London
Luca Cardelli Microsoft Research
Andrew D. Gordon Microsoft Research JFP submission of March 2004 Abstract We consider a propositional spatial logic for finite trees. The logic includes A | B (tree composition), A . B (the implication induced by composition), and 0 (the unit of composition). We show that the satisfaction and validity problems are equivalent, and decidable. The crux of the argument is devising a finite enumeration of trees to consider when deciding whether a spatial implication is satisfied. We introduce a sequent calculus for the logic, and show it to be sound and complete with respect to an interpretation in terms of satisfaction. Finally, we describe a complete proof procedure for the sequent calculus. We envisage applications in the area of logic-based type systems for semistructured data. We describe a small programming language based on this idea.
Contents 1 Introduction
1
2 Ground Propositional Spatial Logic (Review) 2.1 Edge-Labelled Finite Trees . . . . . . . . . . . . . . . . . . . . . 2.2 Logical Formulas and Satisfaction . . . . . . . . . . . . . . . . . . 2.3 Validity of a Formula . . . . . . . . . . . . . . . . . . . . . . . . .
2 3 3 4
3 Deciding Validity by Model Checking 3.1 Bounding the Names to Consider . . . . . . . . . . . . . . . . . . 3.2 Bounding the Sizes to Consider . . . . . . . . . . . . . . . . . . . 3.3 Enumerating Equivalence Classes . . . . . . . . . . . . . . . . . .
5 6 7 13
4 Deciding Validity by Deduction 17 4.1 A Sequent Calculus . . . . . . . . . . . . . . . . . . . . . . . . . . 17 4.2 Soundness and Completeness . . . . . . . . . . . . . . . . . . . . 19 4.3 A Complete Proof Procedure . . . . . . . . . . . . . . . . . . . . 21 5 A Language for Manipulating Trees 5.1 Syntax . . . . . . . . . . . . . . . . . 5.2 Values . . . . . . . . . . . . . . . . . 5.3 Operational Semantics . . . . . . . . 5.4 Type System . . . . . . . . . . . . . 5.5 Examples . . . . . . . . . . . . . . . 6 Conclusions
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
24 25 26 26 27 30 30
1
Introduction
Due to the growing popularity of semistructured data [Bun97], and particularly XML [XML], there is a renewed interest in typed programming languages that can manipulate tree-like data structures. Unfortunately, semistructured data cannot be checked by conventional type systems with sufficient flexibility. More advanced type systems are being proposed that better match the data schemas used with semistructured data [HP00]. In general, we are going to have some tree-like data t, and some description language T that can flexibly describe the shape of the data. We are interested in description languages so flexible that they are akin to logics rather than to type systems. The question is: what is needed to use a description language T as a type system in some programming language that manipulates t data? First of all, the programming language needs to analyze the data, so it needs to check at run-time whether a tree value matches a description. In type system terms this is a run-time typing problem: does tree t have type A. In logical terms this is a satisfaction problem: does tree t satisfy formula A. Second, the programming language needs (most likely) to check at compile time whether a description A is less general than a description B. In terms of type system this is a subtyping test: is type A a subtype of type B. In logic terms this is a validity test: does every tree t satisfying formula A also satisfy formula B. Given both a satisfaction and a validity algorithm, it is then fairly routine to build a type system around the description language, along with an operational semantics obeying standard typing soundness properties. The key problem, though, is to find rich description languages that admit satisfaction and (more crucially) validity algorithms. In the case of XDuce [HP01], for example, these algorithms are found in tree automata theory. We propose here a logic that can be used as a rich description language for tree-like data. It emerges as an application of the novel area of “spatial” logics used for describing data and network structures. The logic of this paper is so expressive that, in fact, satisfaction and validity are equivalent problems (validity can be defined internally). For a restricted version of the spatial logics studied so far, we are able to obtain a validity algorithm, and this is sufficient for language applications. We end this paper by describing a simple language based on these ideas. In a spatial logic, the truth of a formula depends on its location. Models for spatial logics include computational structures such as concurrent objects [CM98], heaps [Rey02, IO01, ORY01], trees [CG01a], graphs [CGG02], and also process calculi such as the π-calculus [CC01, CC02] and the ambient calculus [CG00, CG01b]. Previous applications of spatial logics include specifying and verifying imperative and concurrent programs, and querying semistructured data. The spatial logic of this paper describes properties of finite edge-labelled trees. In our textual notation, n1 [P1 ] | · · · | nk [Pk ] is a tree consisting of k edges, labelled n1 , . . . , nk , leading to k subtrees P1 , . . . , Pk , respectively. Our logic 1
starts with propositional primitives: conjunction A∧B, implication A ⇒ B, and falsity F. To this basis, we add spatial primitives: composition A|B (satisfied by composite trees P | Q where P and Q satisfy A and B, respectively), guarantee A . B (the spatial implication corresponding to composition, satisfied by trees that, whenever composed with any tree that satisfies A, result in trees that satisfy B) and void 0 (the unit of composition, satisfied by the empty tree). We complete the logic with primitives for labelled edges: location n[A] (satisfied by a tree n[P ] if P satisfies A) and placement A@n (satisfied by a tree P if the tree n[P ] satisfies A). We consider the satisfaction problem (whether a given tree satisfies a given formula) and the validity problem (whether every tree satisfies a given formula). Since satisfaction of the guarantee operator A.B is defined as an infinite quantification over all trees, neither problem is obviously decidable. Our first significant result, is that both are, in fact, decidable (Theorem 2). In effect, we show how to decide validity by model checking. The main auxiliary result (Theorem 1) is that we need consider only a finite enumeration of trees when model checking a formula A . B. Subsequently, we introduce a sequent calculus for our spatial logic, and show how to decide validity by deduction in this calculus. The finite enumeration of trees introduced in the first half is built into the right rule for A.B. Our sequent calculus has a standard interpretation in terms of the satisfaction predicate. By appeal to Theorem 1, we show the sequent calculus to be sound (Theorem 3) and complete (Theorem 4) with respect to its interpretation. Moreover, we obtain and verify a complete algorithm for finding proofs in the sequent calculus (Theorem 5). The resulting algorithm for validity is better suited to optimisations than the algorithm based directly on model checking. Section 2 gives formal definitions of our logic and its model. Section 3 develops our first algorithm for validity, based on model checking. Section 4 develops our second algorithm, based on our sequent calculus. Section 5 describes a small programming language for manipulating trees, to illustrate the idea of using spatial logic formulas as programming language types. Section 6 concludes.
2
Ground Propositional Spatial Logic (Review)
This section introduces our spatial logic and its model. First, we define our notation for edge-labelled finite trees. Second, we introduce the formulas of the logic and their semantics: the satisfaction predicate, P |= A, means that the tree P satisfies the formula A. Third, we define the validity predicate, vld(A), to mean P |= A for every tree P . By constructing certain characteristic formulas, we note that satisfaction and validity are interderivable. In a study of a richer spatial logic than the one considered here, Hirschkoff, Lozes, and Sangiorgi [HLS02] also define characteristic formulas for ambient
2
processes, and note equivalences between the satisfaction and validity problems.
2.1
Edge-Labelled Finite Trees
Let m, n range over an infinite set N of names. The model of our logic is the set of edge-labelled trees, finitely branching and of finite depth. Trees: P, Q ::= 0 P |Q m[P ]
tree empty tree composition edge labelled by m, atop tree P 4
Let fn(P ) be the set of names free in P . For any X ⊆ N, let TreeX = {P | fn(P ) ⊆ X}. Structural Equivalence: P ≡ Q P ≡P Q≡P ⇒P ≡Q P ≡ Q, Q ≡ R ⇒ P ≡ R
(Struct Refl) (Struct Symm) (Struct Trans)
P ≡Q⇒P |R≡Q|R P ≡ Q ⇒ M [P ] ≡ M [Q]
(Struct Par) (Struct Amb)
P |Q≡Q|P (P | Q) | R ≡ P | (Q | R) P |0≡P
(Struct Par Comm) (Struct Par Assoc) (Struct Zero Par)
Lemma 1 If P ∈ TreeX and P ≡ Q then Q ∈ TreeX .
2.2
Logical Formulas and Satisfaction
Logical Formulas: A, B ::= F A∧B A⇒B 0 A|B A.B n[A] A@n
formula false conjunction implication void composition guarantee location placement
3
The derived propositional connectives T, ¬A, A ∨ B, are defined in the usual 4 way. Name equality can be defined by m = n = m[T]@n; this formula holds if and only if m = n. We write A{m←m0 } for the outcome of substituting each occurrence of the name m in the formula A with the name m0 . We define the satisfaction predicate, P |= A, as follows. Satisfaction: P |= A P P P P P
|= F never |= A ∧ B |= A ⇒ B |= 0 |= A | B
P |= A . B P |= n[A] P |= A@n
4
P |= A ∧ P |= B P |= A ⇒ P |= B P ≡0 ∃P 0 , P 00 .P ≡ P 0 | P 00 ∧ P 0 |= A ∧ P 00 |= B 4 0 0 = ∀P .P |= A ⇒ P | P 0 |= B 4 = ∃P 0 .P ≡ n[P 0 ] ∧ P 0 |= A 4 = n[P ] |= A
= 4 = 4 = 4 =
A basic property is that structural congruence preserves satisfaction: Lemma 2 If P |= A and P ≡ P 0 then P 0 |= A. Proof
2
An easy induction on the structure of A. 4
It is useful to know that every tree P has a characteristic formula P . Let 0 = 0, 4 4 P | Q = P | Q, and m[P ] = m[P ]. The formula P identifies P up to structural equivalence: Lemma 3 For all P and Q, Q |= P if and only if Q ≡ P . Proof
An easy induction on the structure of P .
2
Now, to turn the definition of satisfaction into an algorithm, that is, to build a model checker for the logic, we must show that the three quantifications in the clauses for A | B, A . B, and n[A] can be reduced to finite problems. It is not hard to reduce the clauses for A | B and n[A] to finite quantifications [CG00], but it seems far from obvious how to reduce satisfaction of A . B to a finite problem. The principal result of the paper, Theorem 1, is that for any A0 , A00 there is a finite set T (A0 . A00 ) such that: P |= A0 . A00 ⇔ ∀P 0 ∈ T (A0 . A00 ).P 0 |= A0 ⇒ P 0 | P |= A00
2.3
Validity of a Formula
The validity predicate, vld(A), means every tree satisfies the formula A.
4
Validity: vld(A) 4
vld(A) = ∀P.P |= A The next two lemmas exhibit formulas to encode validity in terms of satisfaction, and the converse. Lemma 4 (Validity from Satisfaction) vld(A) if and only if 0 |= T . A. Proof With appeal to Lemma 2, we get: vld(A) ⇔ (∀P.P |= A) ⇔ (∀P.P |= T ⇒ P | 0 |= A) ⇔ 0 |= T . A. 2 Lemma 5 (Satisfaction from Validity) P |= A if and only if vld(P ⇒ A). Proof With appeal to Lemmas 2 and 3, we get: vld(P ⇒ A) ⇔ (∀Q.Q |= P ⇒ Q |= A) ⇔ (∀Q.Q ≡ P ⇒ Q |= A) ⇔ P |= A. 2 Hence, the validity and satisfaction problems are equivalent. The goal of the paper is to show both are decidable.
3
Deciding Validity by Model Checking
The crux of our problem is the infinite quantification in the definition of satisfaction for A . B. We bound this infinite quantification in three steps, which lead to an alternative definition in terms of a finite quantification. This leads to a model checking procedure, and hence to an algorithm for validity. • In Section 3.1, we bound the alphabet of distinct names that may occur in trees that need to be considered. Let fn(A) be the set of names occurring free in any formula A. Let m be some other name. Proposition 1 asserts that P |= A . B if and only if Q |= A ⇒ P | Q |= B for all trees Q with edge-labels drawn from the set fn(A) ∪ {m}. • In Section 3.2, we introduce a measure of the size of a tree, and bound both the alphabet and size of trees that need to be considered. Proposition 4 asserts that P |= A . B if and only if Q |= A ⇒ P | Q |= B for all the trees Q smaller than a size determined by A and with edge-labels drawn from a particular finite alphabet. • In Section 3.3, we give a procedure to enumerate a finite set of structural equivalence classes of trees determined by a formula. Theorem 1 asserts that P |= A . B if and only if Q |= A ⇒ P | Q |= B for all the representatives Q of these equivalence classes. Hence, we prove in Theorem 2 that satisfaction, and hence validity, is decidable.
5
3.1
Bounding the Names to Consider
We need the following facts relating substitution with the operators for adding an edge to a tree and for composing trees. Lemma 6 If n ∈ / {m, m0 } then: P {m←m0 } ≡ n[Q] ⇔ ∃P 0 .P ≡ n[P 0 ] ∧ P 0 {m←m0 } ≡ Q Proof P {m←m0 } |= n[Q] ⇔ ∃m00 , P 0 .P ≡ m00 [P 0 ] ∧ m00 {m←m0 } = n ∧ P 0 {m←m0 } ≡ Q ⇔ ∃P 0 .P ≡ n[P 0 ] ∧ P 0 {m←m0 } ≡ Q 2 Lemma 7 P {m←m0 } ≡ Q0 | Q00 ⇔ ∃P 0 , P 00 .P ≡ P 0 | P 00 ∧ P 0 {m←m0 } ≡ Q0 ∧ P 00 {m←m0 } ≡ Q00 Proof
Immediate since substitution preserves the structure of trees.
2
Given these facts we can show that satisfaction of a formula is independent of any name not occurring in the formula. Lemma 8 If m, m0 ∈ / fn(A), P |= A ⇔ P {m←m0 } |= A. Proof cases.
By induction on the structure of A. We only consider the interesting
Case A | B. We have m, m0 ∈ / fn(A) ∪ fn(B). With appeal to Lemma 2 and Lemma 7, and the induction hypothesis, we calculate: P |= A | B ⇔ ∃P 0 , P 00 .P ≡ P 0 | P 00 ∧ P 0 |= A ∧ P 00 |= B ⇔ ∃P 0 , P 00 .P ≡ P 0 | P 00 ∧ P 0 {m←m0 } |= A ∧ P 00 {m←m0 } |= B ⇔ ∃P 0 , P 00 , Q0 , Q00 .P ≡ P 0 | P 00 ∧ Q0 ≡ P 0 {m←m0 } ∧ Q00 ≡ P 00 {m←m0 } ∧ Q0 |= A ∧ Q00 |= B ⇔ ∃Q0 , Q00 .P {m←m0 } ≡ Q0 | Q00 ∧ Q0 |= A ∧ Q00 |= B ⇔ P {m←m0 } |= A | B Case A . B. We have m, m0 ∈ / fn(A) ∪ fn(B). With appeal to the induction hypothesis, we calculate: P |= A . B
⇔ ⇔ ⇔ ⇔ ⇔
∀Q.Q |= A ⇒ P | Q |= B ∀Q.Q |= A ⇒ (P | Q){m←m0 } |= B ∀Q.Q |= A ⇒ (P {m←m0 } | Q){m←m0 }) |= B ∀Q.Q |= A ⇒ P {m←m0 } | Q |= B P {m←m0 } |= A . B 6
Case n[A]. We have m, m0 ∈ / {n} ∪ fn(A). With appeal to Lemma 2 and Lemma 6, and the induction hypothesis, we calculate: P |= n[A] ⇔ ∃P 0 .P ≡ n[P 0 ] ∧ P 0 |= A ⇔ ∃P 0 .P ≡ n[P 0 ] ∧ P 0 {m←m0 } |= A ⇔ ∃P 0 , P 00 .P ≡ n[P 0 ] ∧ P 0 {m←m0 } ≡ P 00 ∧ P 00 |= A ⇔ ∃P 00 .P {m←m0 } ≡ n[P 00 ] ∧ P 00 |= A ⇔ P {m←m0 } |= n[A] Case A@n. We have m, m0 ∈ / {n} ∪ fn(A). With appeal to the induction hypothesis, we calculate: P |= A@n
⇔ ⇔ ⇔ ⇔
n[P ] |= A (n[P ]){m←m0 } |= A n[P {m←m0 }] |= A P {m←m0 } |= A@n 2
This lemma is not true for the logic extended with quantifiers: we have m[]|n[] |= ∃x, y.(x[] | y[]) ∧ x 6= y but m[] | m[] 6|= ∃x, y.(x[] | y[]) ∧ x 6= y. Proposition 1 (Bounding Names) Suppose m ∈ / fn(A . B). Then: P |= A . B ⇔ (∀Q ∈ Treefn(A.B)∪{m} . Q |= A ⇒ P | Q |= B) Proof The forwards direction is immediate. For the backwards direction, assume that (∀Q ∈ Treefn(A.B)∪{m} . Q |= A ⇒ P | Q |= B) and consider any tree Q such that Q |= A. Suppose that fn(P | Q) ⊆ fn(A . B) ∪ {m, n1 , . . . , nk } where {n1 , . . . , nk } ∩ (fn(A . B) ∪ {m}) = ∅. Let P 0 = P {n1 ←m} · · · {nk ←m} and Q0 = Q{n1 ←m} · · · {nk ←m}. By repeated application of Lemma 8, we get that Q |= A ⇔ Q0 |= A. Since Q0 ∈ Treefn(A.B)∪{m} and Q0 |= A, we obtain P | Q0 |= B by assumption. Now, we have: (P | Q0 ){n1 ←m} · · · {nk ←m} = P 0 | Q0 = (P | Q){n1 ←m} · · · {nk ←m} Hence, by repeated application of Lemma 8, we get that P | Q0 |= B ⇔ P | Q0 |= B ⇔ P | Q |= B. Hence P | Q |= B follows. 2 0
3.2
Bounding the Sizes to Consider
We introduce measures of the height and width of both trees and formulas. Definition 1 (Notation) Write a·P for a ≥ 0 copies of P in parallel: P |. . .|P . 7
Definition 2 (Size of Trees) 4 |P |hw = (h, w) iff there are a1 , n1 , P1 , . . . , ak , nk , Pk , for some k, such that: • P ≡ a1 · n1 [P1 ] | . . . | ak · nk [Pk ] • ∀i, j ∈ 1..k. ni [Pi ] ≡ nj [Pj ] ⇒ i = j • (hi , wi ) = |Pi |hw for each i ∈ 1..k • if k = 0, h = 0; otherwise h = 1 + max(h1 , . . . , hk ) • if k = 0, w = 0; otherwise w = max(a1 , . . . , ak , w1 , . . . , wk ) When |P |hw = (h, w), we write |P |h for h and |P |w for w. We write (h1 , w1 ) ≤ (h2 , w2 ) for (h1 ≤ h2 ) ∧ (w1 ≤ w2 ). Intuitively |P |h is the height of P , and |P |w is the width, defined as the maximum multiplicity of the subtrees of P . The multiplicity is the number of structurally equivalent non-empty trees under the same edge. For example: • |0|hw = (0, 0) • |n[0]|hw = (1, 1) • |n[0] | m[0]|hw = (1, 1) • |n[0] | n[0]|hw = (1, 2) • |n[m[0]]|hw = (2, 1) • |n[n[0]]|hw = (2, 1) Next, we define height and width measures for logical formulas. Size of Logical Formulas |F|h |A ∧ B|h |A ⇒ B|h |0|h |A | B|h |A . B|h |n[A]|h |A@n|h
4
= 4 = 4 = 4 = 4 = 4 = 4 = 4 =
|F|w |A ∧ B|w |A ⇒ B|w |0|w |A | B|w |A . B|w |n[A]|w |A@n|w
0 max(|A|h , |B|h ) max(|A|h , |B|h ) 1 max(|A|h , |B|h ) |B|h 1 + |A|h max(|A|h − 1, 0)
4
= 4 = 4 = 4 = 4 = 4 = 4 = 4 =
0 max(|A|w , |B|w ) max(|A|w , |B|w ) 1 |A|w + |B|w |B|w max(2, |A|w ) |A|w
Here are the sizes for the derived propositional connectives: |T|h |¬A|h |A ∨ B|h
4
|T|w |¬A|w |A ∨ B|w
= 0 4 = |A|h 4 = max(|A|h , |B|h ) 8
4
= 0 4 = |A|w 4 = max(|A|w , |B|w )
We define a relation ∼h,w between trees, parameterized by the size (h, w). The main property of the relation is that if P ∼h,w Q then no formula with size (h, w) can distinguish between P and Q (Proposition 2). Definition 3 (Relation P ∼h,w Q) P ∼0,w Q
always
P ∼h+1,w Q ⇔ ∀i ∈ 1..w. ∀n, Pj with j ∈ 1..i. if P ≡ n[P1 ] | · · · | n[Pi ] | Pi+1 then Q ≡ n[Q1 ] | · · · | n[Qi ] | Qi+1 such that Pj ∼h,w Qj for j ∈ 1..i and vice versa Note that ∼h,w is an equivalence relation: reflexivity, symmetry, and transitivity are immediate consequences of the definition. Moreover, it is preserved by structural congruence: Lemma 9 If P ∼h,w Q and Q ≡ R then P ∼h,w R. Proof
2
By an easy induction on h.
The following lemma shows that the relation ∼h,w is monotone in (h, w). Lemma 10 (Monotonicity) If P ∼h,w Q and (h0 , w0 ) ≤ (h, w) then P ∼h0 ,w0 Q. Proof By induction on h. The case h = 0 is immediate. For h + 1, suppose P ∼h+1,w Q and (h0 , w0 ) ≤ (h + 1, w). If h0 = 0 then clearly P ∼h0 ,w0 Q. If h0 = h00 + 1 for some h00 , then consider any i ∈ 1..w0 , n, Pj for j ∈ 1..i such that P ≡ n[P1 ] | · · · | n[Pi ] | Pi+1 Since w0 ≤ w, then i ∈ 1..w, and from P ∼h+1,w Q we have Q ≡ n[Q1 ] | · · · | n[Qi ] | Qi+1 such that Pj ∼h,w Qj for j ∈ 1..i Since (h00 , w0 ) ≤ (h, w), by induction hypothesis we have Pj ∼h00 ,w0 Qj for j ∈ 1..i. This proves P ∼h00 +1,w0 Q, that is, P ∼h0 ,w0 Q. 2 The following lemma shows that the relation ∼h,w is a congruence. Lemma 11 (Congruence) The following hold: (1) If P ∼h,w Q then n[P ] ∼h+1,w n[Q]. (2) If P ∼h,w P 0 and Q ∼h,w Q0 then P | Q ∼h,w P 0 | Q0 . Proof
We prove both parts directly.
9
(1) Suppose P ∼h,w Q. If w = 0 then the conclusion is immediate. Otherwise, consider any i ∈ 1..w, n, Pj for j ∈ 1..i such that n[P ] ≡ n[P1 ] | · · · | n[Pi ] | Pi+1 Then i = 1 and P1 ≡ P and Pi+1 ≡ 0. We have n[Q] ≡ n[Q] | 0, and P1 ∼h,w Q by Lemma 9. This proves n[P ] ∼h+1,w n[Q]. (2) There are two cases. If h = 0 then the conclusion is immediate. For h + 1, suppose P ∼h+1,w P 0 and Q ∼h+1,w Q0 ; then consider any i ∈ 1..w, n, Rj for j ∈ 1..i such that P | Q ≡ n[R1 ] | · · · | n[Ri ] | Ri+1 Suppose without loss of generality that the Rj are ordered in a way that there exist k ∈ 1..i, P† , Q† such that P ≡ n[R1 ] | · · · | n[Rk ] | P† Q ≡ n[Rk+1 ] | · · · | n[Ri ] | Q† Ri+1 ≡ P† | Q† Since k ∈ 1..w, from P ∼h+1,w P 0 we have P 0 ≡ n[P10 ] | · · · | n[Pk0 ] | P†0 such that Rj ∼h,w Pj0 for j ∈ 1..k Similarly, from Q ∼h+1,w Q0 we have Q0 ≡ n[Q0k+1 ] | · · · | n[Q0i ] | Q0† such that Rj ∼h,w Q0j for j ∈ (k + 1)..i Hence, we have P 0 | Q0 ≡ n[P10 ] | · · · | n[Pk0 ] | n[Q0k+1 ] | · · · | n[Q0i ] | P†0 | Q0† Since Rj ∼h,w Pj0 for j ∈ 1..k and Rj ∼h,w Q0j for j ∈ (k + 1)..i, this proves P | Q ∼h+1,w P 0 | Q0 . 2 Lemma 12 (Inversion) If P 0 | P 00 ∼h,w1 +w2 Q then there exist Q0 , Q00 such that Q ≡ Q0 | Q00 and P 0 ∼h,w1 Q0 and P 00 ∼h,w2 Q00 . Proof There are two cases. If h = 0 then the conclusion is immediate. For h + 1, suppose P 0 | P 00 ∼h+1,w1 +w2 Q. Consider the following definition: A tree P is in (h, w)-normal form if whenever P ≡ n[P1 ] | n[P2 ] | P3 for some P1 , P2 , P3 , if P1 ∼h,w P2 then P1 ≡ P2 . Note that P ∼h+1,w n[P1 ] | n[P1 ] | P3 , hence it is always possible to find a P † such that P † is in (h, w)-normal form and P ∼h+1,w P † .
10
We can assume without loss of generality that P 0 and P 00 are in (h, w)-normal form, and by Lemma 10 that Q is in (h, w)-normal form. Hence, there exist k, Pj , a0j , a00j , bj for j ∈ 1..k such that P 0 ≡ a01 · n1 [P1 ] | · · · | a0k · nk [Pk ] P 00 ≡ a001 · n1 [P1 ] | · · · | a00k · nk [Pk ] Q ≡ b1 · n1 [P1 ] | · · · | bk · nk [Pk ] where if Pi ∼h,w Pj and ni = nj then i = j. To split Q into two parts, we now specify how to split each bi , for i ∈ 1..k, into b0i and b00i , such that: a0i a00i
bi = b0i + b00i · ni [Pi ] ∼h+1,w1 b0i · ni [Pi ] · ni [Pi ] ∼h+1,w2 b00i · ni [Pi ]
For each i ∈ 1..k, we choose b0i and b00i according to the following cases: • Case a0i + a00i < w1 + w2 . Then P 0 | P 00 ∼h+1,w Q implies bi = a0i + a00i , so we can choose b0i = a0i and b00i = a00i . • Case a0i + a00i ≥ w1 + w2 . Then P 0 | P 00 ∼h+1,w Q implies bi ≥ w1 + w2 . There are three subcases: – Subcase a0i ≥ w1 and a00i ≥ w2 . Then we choose b0i = w1 and b00i = bi −w1 (note that b00i is saturated, that is, b00i ≥ w2 , since bi ≥ w1 +w2 ). – Subcase a0i < w1 . We must have a00i ≥ w2 . Then we choose b0i = a0i and b00i = bi − a0i . So b00i ≥ w2 since bi ≥ w1 + w2 and b0i < w1 . – Subcase a00i < w2 . This is symmetric to the previous case. We must have a0i ≥ w1 . We choose b00i = a00i and b0i = bi − a00i . So b0i ≥ w1 since bi ≥ w1 + w2 and b00i < w2 . Now we define Q0 and Q00 as follows: Q0 ≡ b01 · n1 [P1 ] | · · · | b0k · nk [Pk ]
Q00 ≡ b001 · n1 [P1 ] | · · · | b00k · nk [Pk ]
We have Q ≡ Q0 | Q00 , and by repeated application of Lemma 11 we get P 0 ∼h+1,w1 Q0 and P 00 ∼h+1,w2 Q00 . 2 Proposition 2 If |A|hw = (h, w) and P |= A and P ∼h,w Q then Q |= A. Proof cases.
By induction on the structure of A. We consider only some interesting
Case 0. Suppose P |= 0 and P ∼1,1 Q. Then P ≡ 0. Since P ∼1,1 Q, if Q ≡ n[Q1 ] | Q2 for some n, Q1 , Q2 then P ≡ n[P1 ] | P2 for some P1 , P2 . Hence Q ≡ 0; thus Q |= 0.
11
Case A1 | A2 . Suppose |Ai |hw = (hi , wi ) for i = 1, 2 and P |= A1 | A2 . We have |(A1 | A2 )|hw = (max(h1 , h2 ), w1 + w2 ) and there exist P1 , P2 such that P ≡ P1 | P2 and Pi |= Ai for i = 1, 2. Then by Lemma 12 there exist Q1 , Q2 such that Q ≡ Q1 | Q2 and Pi ∼max(h1 ,h2 ),wi Qi for i = 1, 2. Then Pi ∼hi ,wi Qi for i = 1, 2 by Lemma 10, hence Qi |= Ai for i = 1, 2 by induction hypothesis. This proves Q |= A1 | A2 . Case A . B. Suppose |B|hw = (h, w) and P |= A.B. We have |A.B|hw = (h, w) and P ∼h,w Q. Consider any P1 such that P1 |= A; then P | P1 |= B. Since P ∼h,w Q and P1 ∼h,w P1 we have P | P1 ∼h,w Q | P1 by Lemma 11. Hence Q | P1 |= B by induction hypothesis. This proves Q |= A . B. Case n[A]. Suppose |A|hw = (h, w). We have |n[A]|hw = (h + 1, max(w, 2)) and P ∼h+1,max(w,2) Q and P |= n[A]. Then there exists P 0 such that P ≡ n[P 0 ] and P 0 |= A. From P ∼h+1,max(w,2) Q we deduce that there exists Q0 such that Q ≡ n[Q0 ] and P 0 ∼h,max(w,2) Q0 . Lemma 10 implies P 0 ∼h,w Q0 , and by induction hypothesis we have Q0 |= A. This proves Q |= n[A]. Case A@n. Suppose |A|hw = (h, w). We have |A@n|hw = (max(h − 1, 0), w) and P ∼max(h−1,0),w Q. If h > 0 then we have n[P ] ∼h,w n[Q] by Lemma 11. If h = 0 then n[P ] ∼h,w n[Q] is immediate. With appeal to the induction hypothesis, we calculate: P |= A@n
⇔ n[P ] |= A ⇔ n[Q] |= A ⇔ Q |= A@n 2
The following lemma shows that each equivalence class determined by ∼h,w contains a tree of size bounded by (h, w). Lemma 13 (Pruning) For all P ∈ TreeX , h, w there exists P 0 ∈ TreeX such that P ∼h,w P 0 and |P 0 |hw ≤ (h, w). Proof We describe how to construct P 0 by induction on h. For h = 0 define 4 P 0 = 0. For h + 1, suppose P ≡ n1 [P1 ] | · · · | nk [Pk ], for some k and nj , Pj with j ∈ 1..k. Let Pj0 , for j ∈ 1..k, be the tree obtained by pruning Pj to size 4
h, w. Define Q = n1 [P10 ] | · · · | nk [Pk0 ]. We can write Q in a canonical form with respect to ≡, that is, there exist i and aj , mj , Qj for j ∈ 1..i such that Q ≡ a1 · m1 [Q1 ] | · · · | ai · mi [Qi ] and, for all j, j 0 ∈ 1..i, if mj [Qj ] ≡ mj 0 [Qj 0 ] 4 then j = j 0 . For each j ∈ 1..i, define bi = min(ai , w). Then we can define 4 P 0 = b1 · m1 [Q1 ] | · · · | bi · mi [Qi ]. It is easy to see that |P 0 |hw ≤ (h + 1, w) and P ∼h+1,w P 0 . 2
12
Proposition 3 (Bounding Size) For any tree P , set of names X and formulas A and B, if h = max(|A|h , |B|h ) and w = max(|A|w , |B|w ) then (∀Q ∈ TreeX . Q |= A ⇒ P | Q |= B) ⇔ (∀Q ∈ TreeX . |Q|hw ≤ (h, w) ∧ Q |= A ⇒ P | Q |= B) Proof The forwards direction is immediate. For the backwards direction, assume that the right hand side holds. Take any Q ∈ TreeX such that Q |= A. Then we have: ∃Q0 . Q ∼h,w Q0 ∧ |Q0 |hw ≤ (h, w) by Lemma 13 Q ∼|A|h ,|A|w Q0 by Lemma 10 since |A|hw ≤ (h, w) Q0 |= A by Proposition 2 P | Q0 |= B by assumption P | Q ∼h,w P | Q0 by Lemma 11 P | Q ∼|B|h ,|B|w P | Q0 by Lemma 10 since |B|hw ≤ (h, w) P | Q |= B by Proposition 2 2 Proposition 4 (Bounding Size and Names) For any tree P and formulas A and B, if m ∈ / fn(A . B) and X = fn(A . B) ∪ {m} and h = max(|A|h , |B|h ) and w = max(|A|w , |B|w ), then: P |= A . B ⇔ (∀Q ∈ TreeX . |Q|hw ≤ (h, w) ∧ Q |= A ⇒ P | Q |= B) Proof
We have: P |= A . B ⇔ (∀Q ∈ TreeX . Q |= A ⇒ P | Q |= B) ⇔ (∀Q ∈ TreeX . |Q|hw ≤ (h, w) ∧ Q |= A ⇒ P | Q |= B)
Proposition 1 justifies the first step, Proposition 3 the second.
2
So, to check satisfaction of A . B, we need only consider trees whose free names are drawn from fn(A.B)∪{m}, and whose size is bounded by max(|A|hw , |A|hw ). We show in the next section, that the number of such trees, modulo structural equivalence, is finite. Hence, we obtain an algorithm for satisfaction of A . B.
3.3
Enumerating Equivalence Classes
In this section we present an explicit characterization of the equivalence classes on trees, modulo structural equivalence, determined by ∼h,w . Definition 4 (Notation) Consider the following notation, where metavariable
13
c ranges over sets of trees modulo structural congruence: hP i≡ hP ih,w c1 + c2 n[c] c≤n
4
= 4 = 4 = 4 = 4 =
{P 0 | P ≡ P 0 } {P 0 | P ∼h,w P 0 } c1 ∪ c2 {hn[P ]i≡ | hP i≡ ∈ c} {ha1 · P1 | · · · | ak · Pk i≡ | 0 ≤ ai ≤ n for i ∈ 1..k} when c = {hP1 i≡ , . . . , hPk i≡ }
We can now give a direct definition of the set of equivalence classes EQX h,w determined by ∼h,w , given a set of names X. Definition 5 If X = {n1 , . . . , nk }, define EQX h,w as follows: 4
EQX 0,w
= {h0i≡ }
EQX h+1,w
=
4
X ≤w (n1 [EQX h,w ] + · · · + nk [EQh,w ])
Lemma 14 If |P |hw ≤ (h, w) and |P 0 |hw ≤ (h, w), then (1) P ∈ TreeX implies hP i≡ ∈ EQX h,w . (2) P ≡ P 0 ⇐⇒ P ∼h,w P 0 . Proof Part (1) is a simple induction on h. For Part (2), the interesting direction is ⇐. We proceed by induction on h. If h = 0 then |P |h = |Q|h = 0, hence P ≡ Q ≡ 0. For the case h + 1, suppose |P |hw ≤ (h + 1, w) and |P 0 |hw ≤ (h + 1, w) and P ∼h+1,w P 0 . Write P and P 0 in canonical form with respect to ≡, that is, there exist k and aj , a0j , nj , Pj for j ∈ 1..k such that P 0 ≡ a01 · n1 [P1 ] | · · · | a0k · nk [Pk ]
P ≡ a1 · n1 [P1 ] | · · · | ak · nk [Pk ]
where, for all i, j ∈ 1..k, if ni [Pi ] ≡ nj [Pj ] then i = j. Since |P |hw ≤ (h + 1, w) and |P 0 |hw ≤ (h + 1, w) we have aj ≤ w and a0j ≤ w for each j ∈ 1..k. For each i ∈ 1..k we show ai ≤ a0i : There exists P† such that P ≡ ai · ni [Pi ] | P † . Then by definition of P ∼h+1,w P 0 there exist P10 , . . . , Pa0 i , P†0 such that P 0 ≡ ni [P10 ] | · · · | ni [Pa0 i ] | P†0 and Pi ∼h,w Pj0 for j ∈ 1..ai . By induction hypothesis we have Pi ≡ Pj0 for each j ∈ 1..ai , hence P 0 ≡ ai · ni [Pi ] | P†0 . This proves ai ≤ a0i . With a symmetric argument we can show a0i ≤ ai for each i ∈ 1..k. This proves P ≡ P 0. 2 The following lemma shows that EQX h,w contains exactly the trees (modulo ≡) of size at most (h, w) with free names drawn from X. 14
hw Lemma 15 hP i≡ ∈ EQX ≤ (h, w). h,w ⇔ P ∈ TreeX ∧ |P | hw Proof By construction, if hP i≡ ∈ EQX ≤ (h, w). h,w then P ∈ TreeX and |P | The converse follows from Lemma 14. 2
The following proposition shows that EQX h,w is an enumeration of the representatives of the equivalence classes in TreeX / ∼h,w . Proposition 5 The function f : TreeX → TreeX / ∼h,w sending P to hP ih,w extends to a bijection f 0 : EQX h,w → TreeX / ∼h,w . Proof Let f 0 be the function sending hP i≡ to hP ih,w . Clearly f 0 is well defined since P ≡ P 0 implies P ∼h,w P 0 . To show that f 0 is surjective, take any hP ih,w ∈ TreeX / ∼h,w . By lemma 13 there exists P 0 ∈ TreeX such that P ∼h,w P 0 and |P 0 |hw ≤ (h, w). So hP 0 ih,w = hP ih,w and hP 0 i≡ ∈ EQX h,w by lemma 14. To show that f 0 is injective, consider any P, Q ∈ TreeX with hP i≡ , hQi≡ ∈ hw EQX ≤ (h, w) and |Q|hw ≤ (h, w) by h,w and hP ih,w = hQih,w . Then |P | Lemma 15, hence P ≡ Q by Lemma 14. This proves hP i≡ = hQi≡ . 2 Theorem 1 (Finite Bound) Consider any formulas A and B. Let EQX h,w = {hQ1 i≡ , . . . , hQn i≡ }, where h = max(|A|h , |B|h ) and w = max(|A|w , |B|w ) and X = fn(A . B) ∪ {m} for some m ∈ / fn(A . B). Then, for any tree P : P |= A . B ⇔ (∀i ∈ 1..n. Qi |= A ⇒ P | Qi |= B) Proof
Using Proposition 4, Lemma 15, and Lemma 2: P |= A . B ⇔ (∀Q ∈ TreeX . |Q|hw ≤ (h, w) ∧ Q |= A ⇒ P | Q |= B) ⇔ (∀Q. hQi≡ ∈ EQX h,w ∧ Q |= A ⇒ P | Q |= B) ⇔ (∀Q. (∃i ∈ 1..n. Q ≡ Qi ) ∧ Q |= A ⇒ P | Q |= B) ⇔ (∀i ∈ 1..n. ∀Q. Q ≡ Qi ∧ Q |= A ⇒ P | Q |= B) ⇔ (∀i ∈ 1..n. Qi |= A ⇒ P | Q |= B) 2
Given this result, we can now show that each of the three quantifications in the definition of satisfaction can be reduced to a finite problem. Finite Test Sets: T (P ), T (A . B), and T (n, P ) T (P ) is the finite non-empty set {hQ, Ri | P ≡ Q | R}/(≡ × ≡). h h T (A . B) is the finite non-empty set EQX h,w ,where h = max(|A| , |B| ) w w and w = max(|A| , |B| )and X = fn(A . B) ∪ {m} for some m ∈ / fn(A . B). T (n, P ) is the finite, possibly empty, set {Q | P ≡ n[Q]}/ ≡.
15
Lemma 16 (1) For any P , P |= A0 | A00 ⇔ ∃hP 0 , P 00 i ∈ T (P ).P 0 |= A0 ∧ P 00 |= A00 . (2) For any A, B, P |= A . B ⇔ ∀Q ∈ T (A . B).Q |= A ⇒ Q | P |= B. (3) For any P , P |= n[A0 ] ⇔ ∃P 0 ∈ T (n, P ).P 0 |= A0 . Proof Part (2) follows at once from Theorem 1. The other parts follow easily, as in earlier work [CG00]. 2 Theorem 2 Satisfaction and validity are interderivable and decidable. Proof As noted in Section 2, Lemmas 4 and 5 establish the equivalence of satisfaction and validity. An algorithm for satisfaction follows from the rules of its definition in Section 2, together with the facts in Lemma 16. 2 Validity is defined in terms of an infinite quantification over trees. We end with a corollary of Lemma 4 and Theorem 1, which reduces validity to a finite quantification over a computable sequence of trees. Hence, we obtain an explicit algorithm for validity. Corollary 1 Consider any formula A. Suppose EQX h,w = {hP1 i≡ , . . . , hPn i≡ }, where (h, w) = |A|hw and X = fn(A) ∪ {m} for some m ∈ / fn(A). Then vld(A) ⇔ (∀i ∈ 1..n. Pi |= A) It is straightforward to implement the algorithms for satisfaction and validity suggested above. However, they are of limited practical interest, since the size of EQX h,w is not elementary (not bounded by any tower of exponentials) in the worst case. The only lower bound we know is PSPACE. Still, the algorithm terminates in a reasonable time on small formulas. Here is a selection of formulas found to be valid by our implementation. • (0 ∨ p[0]) | ¬(p[0]) • q[¬0] . ¬(0) • ¬((q[q[0]] | q[0])@q) • (T . ¬((q[0] ∨ T) . 0))@q • ((0 ∨ p[0])@p)@p@p • (¬(p[T]) ∨ ¬(q[T]))@q • p[T] . (p[T] | T) • ¬(p[T] . 0) • ¬(T | (T . q[0])@q) 16
• (T | (¬(0) ∨ 0)) | T • (T | q[T])@q ∨ 0 To see why, for example, that the formula (0∨p[0])|¬(p[0]) is valid, consider any process P . Either P |= p[0] or not. If so, we have P ≡ P |0, and P |= 0∨p[0] and 0 |= ¬(p[0]). If not, we have P ≡ 0 | P , and 0 |= 0 ∨ p[0] and P |= ¬(p[0]). So, in either case, the process satisfies (0 ∨ p[0]) | ¬(p[0]).
4
Deciding Validity by Deduction
We present a sequent calculus for our spatial logic, following the pattern of Caires and Cardelli [CC02]. We show the calculus to be sound and complete with respect to an interpretation in terms of the satisfaction relation, and present a complete proof procedure. Hence, we obtain an algorithm for deciding validity by deduction in the sequent calculus.
4.1
A Sequent Calculus
A context, Γ or ∆, is a finite multiset of entries of the form P : A where P is a tree and A is a formula. A sequent is a judgment Γ ` ∆ where Γ and ∆ are contexts. The following table states the rules for deriving sequents. The rules depend on the finite test sets T (P ), T (A . B), and T (n, P ) introduced in Section 3. All that matters for the purpose of this section is that these sets are computable and that they satisfy the properties stated in Lemma 16. Hence, this is a finitary proof system; note the form of the rules (| L), (. R), and (n[] L). Rules of the Sequent Calculus: (Id) P ≡Q Γ, P : A ` Q : A, ∆
(Cut) Γ ` P : A, ∆ Γ, P : A ` ∆ Γ`∆
(C L) Γ, P : A, P : A ` ∆ Γ, P : A ` ∆
(C R) Γ ` P : A, P : A, ∆ Γ ` P : A, ∆
(F L)
(F R) Γ`∆ Γ ` P : F, ∆
Γ, P : F ` ∆ (∧ L) Γ, P : A, P : B ` ∆ Γ, P : A ∧ B ` ∆
(∧ R) Γ ` P : A, ∆ Γ ` P : B, ∆ Γ ` P : A ∧ B, ∆
17
(⇒ L) Γ ` P : A, ∆ Γ, P : B ` ∆ Γ, P : A ⇒ B ` ∆ (0 L) P 6≡ 0 Γ, P : 0 ` ∆
(⇒ R) Γ, P : A ` P : B, ∆ Γ ` P : A ⇒ B, ∆ (0 R) P ≡0 Γ ` P : 0, ∆
(| L) ∀hQ, Ri ∈ T (P ). Γ, Q : A, R : B ` ∆ Γ, P : A | B ` ∆ (| R) Γ ` Q : A, ∆ Γ ` R : B, ∆ P ≡ Q | R Γ ` P : A | B, ∆ (. L) Γ ` Q : A, ∆ Γ, Q | P : B ` ∆ Γ, P : A . B ` ∆
(. R) ∀Q ∈ T (A . B). Γ, Q : A ` Q|P : B, ∆ Γ ` P : A . B, ∆
(n[] L) ∀Q ∈ T (n, P ). Γ, Q : A ` ∆ Γ, P : n[A] ` ∆
(n[] R) Γ ` Q : A, ∆ P ≡ n[Q] Γ ` P : n[A], ∆ (@n R) Γ ` n[P ] : A, ∆ Γ ` P : A@n, ∆
(@n L) Γ, n[P ] : A ` ∆ Γ, P : A@n ` ∆
The variables Q, R in (| L) and the variable Q in (. R) cannot occur free (in a formalistic reading) in Γ, P , ∆. Compare the side conditions on these rules in Caires and Cardelli [CC02]. Here, these are meta-level variables ranging over terms, so there is no need for such side conditions. Note that (n[] L) applies also when T (n, P ) is empty (something that never happens for (| L)), so we can conclude, for example, Γ, 0 : n[A] ` ∆. The fact that T (n, P ) may be empty explains also the irregular form of clause (n[] R) of Lemma 18 below. Lemma 17 (Weakening) If Γ ` ∆ is derivable, then Γ, P : A ` ∆ and Γ ` P : A, ∆ are derivable. Moreover, if there is a derivation of Γ ` ∆ free of (Id), (Cut), (C L), (C R), then there are derivations of Γ, P : A ` ∆ and Γ ` P : A, ∆ free of (Id), (Cut), (C L), (C R). Proof By induction on the derivation of Γ ` ∆. The second part of the statement comes from inspection of the cases different from (Id), (Cut), (C L), (C R). 2
18
4.2
Soundness and Completeness
We make a conventional interpretation of sequents: ∧ ∨
4
[[P1 : A1 , ..., Pn : An ]] = P1 |= A1 ∧ . . . ∧ Pn |= An 4
[[Q1 : B1 , ..., Qm : Bm ]] = Q1 |= B1 ∨ . . . ∨ Qm |= Bm [[Γ ` ∆]]
4
=
∧
[[Γ]] ⇒ ∨ [[∆]]
To prove soundness and completeness of the sequent calculus, we need the following two lemmas. Lemma 18 (Validity of Antecedents) (F L) [[Γ, P : F ` ∆]] (F R) [[Γ ` P : F, ∆]] iff [[Γ ` ∆]] (∧ L) [[Γ, P : A0 ∧ A00 ` ∆]] iff [[Γ, P : A0 , P : A00 ` ∆]] (∧ R) [[Γ ` P : A0 ∧ A00 , ∆]] iff [[Γ ` P : A0 , ∆]] ∧ [[Γ ` P : A00 , ∆]] (∨ L) [[Γ, P : A0 ∨ A00 ` ∆]] iff [[Γ ` P : A0 , ∆]] ∧ [[Γ, P : A00 ` ∆]] (∨ R) [[Γ ` P : A0 ∨ A00 , ∆]] iff [[Γ, P : A0 ` P : A00 , ∆]] (0 L) [[Γ, P : 0 ` ∆]] iff P ≡ 0 ⇒ [[Γ ` ∆]] (0 R) [[Γ ` P : 0, ∆]] iff P 6≡ 0 ⇒ [[Γ ` ∆]] (| L) [[Γ, P : A0 | A00 ` ∆]] iff ∀P 0 , P 00 .P ≡ P 0 | P 00 ⇒ [[Γ, P 0 : A0 , P 00 : A00 ` ∆]] (| R) [[Γ ` P : A0 | A00 , ∆]] iff ∃P 0 , P 00 .P ≡ P 0 | P 00 ∧ [[Γ ` P 0 : A0 , ∆]] ∧ [[Γ ` P 00 : A00 , ∆]] (. L) [[Γ, P : A0 . A00 ` ∆]] iff ∃P 0 .[[Γ ` P 0 : A0 , ∆]] ∧ [[Γ, P 0 | P : A00 ` ∆]] (. R) [[Γ ` P : A0 . A00 , ∆]] iff ∀P 0 .[[Γ, P 0 : A0 ` P 0 | P : A00 , ∆]] (n[] L) [[Γ, P : n[A0 ] ` ∆]] iff ∀P 0 .P ≡ n[P 0 ] ⇒ [[Γ, P 0 : A0 ` ∆]] (n[] R) [[Γ ` P : n[A0 ], ∆]] iff (∀P 0 .P 6≡ n[P 0 ]∧[[Γ ` ∆]])∨(∃P 0 .P ≡ n[P 0 ]∧[[Γ ` P 0 : A0 , ∆]]) (@n L) [[Γ, P : A0 @n ` ∆]] iff [[Γ, n[P ] : A0 ` ∆]] (@n R) [[Γ ` P : A0 @n, ∆]] iff [[Γ ` n[P ] : A0 , ∆]] Proof
By detailed, but straightforward, calculations.
19
2
Lemma 19 (Finite Test Sets) (1) For any P there is a finite set T (P ) with: ∀P 0 , P 00 .P ≡ P 0 | P 00 ⇒ [[Γ, P 0 : A0 , P 00 : A00 ` ∆]] iff ∀hP 0 , P 00 i ∈ T (P ).[[Γ, P 0 : A0 , P 00 : A00 ` ∆]]. (2) For any A0 , A00 , there is a finite set T (A0 . A00 ) with: ∀P 0 .[[Γ, P 0 : A0 ` P 0 | P : A00 , ∆]] iff ∀P 0 ∈ T (A0 . A00 ).[[Γ, P 0 : A0 ` P 0 | P : A00 , ∆]]. (3) For any P there is a finite set T (n, P ) with: ∀P 0 .P ≡ n[P 0 ] ⇒ [[Γ, P 0 : A0 ` ∆]] iff ∀P 0 ∈ T (n, P ).[[Γ, P 0 : A0 ` ∆]]. Proof
By expanding definitions, and appeal to Lemma 16.
2
Theorem 3 (Soundness) If Γ ` ∆ is derivable, [[Γ ` ∆]]. Proof
By induction on the derivation of Γ ` ∆.
2
Theorem 4 (Completeness) If [[Γ ` ∆]], then Γ ` ∆ has a derivation. Moreover, it has a derivation that does not use (Id), (Cut), (C L), (C R). Proof By induction on the sum of the sizes of all the formulas in Γ ` ∆. The interesting cases are (| L), (n[] L) and, particularly, (. R), relying on Lemma 19. These are the only cases we show. Subcase [[Γ, P : A0 | A00 ` ∆]]. By Lemma 18(| L) we have ∀P 0 , P 00 .P ≡ P 0 | P 00 ⇒ [[Γ, P 0 : A0 , P 00 : A00 ` ∆]]. By Lemma 19(1) there is a finite set T (P ) such that ∀hP 0 , P 00 i ∈ T (P ).[[Γ, P 0 : A0 , P 00 : A00 ` ∆]]. By IndHyp, ∀hP 0 , P 00 i ∈ T (P ).Γ, P 0 : A0 , P 00 : A00 ` ∆ has a derivation. Hence by (| L) we can construct a (finite) derivation for Γ, P : A0 | A00 ` ∆. Subcase [[Γ, P : n[A0 ] ` ∆]]. By Lemma 18(n[] L) we have ∀P 0 .P ≡ n[P 0 ] ⇒ [[Γ, P 0 : A0 ` ∆]]. By Lemma 19(3) there is a finite set T (n, P ) such that ∀P 0 ∈ T (n, P ).[[Γ, P 0 : A0 ` ∆]]. By IndHyp, ∀P 0 ∈ T (n, P ).Γ, P 0 : A0 ` ∆ has a derivation. Hence by (n[] L) we can construct a (finite) derivation for Γ, P : n[A0 ] ` ∆. Subcase [[Γ ` P : A0 . A00 , ∆]]. By Lemma 18(. R) we have ∀P 0 .[[Γ, P 0 : A0 ` P 0 | P : A00 , ∆]]. By Lemma 19(2) there is a finite set T (A0 . A00 ) such that ∀P 0 ∈ T (A0 . A00 ).[[Γ, P 0 : A0 ` P 0 | P : A00 , ∆]]. By IndHyp, ∀P 0 ∈ T (A0 . A00 ).Γ, P 0 : A0 ` P 0 | P : A00 , ∆ has a derivation. Hence by (. R) we can construct a (finite) derivation for Γ ` P : A0 . A00 , ∆. For the second part of the statement, it is sufficient to note that the rules (Id), (Cut), (C L), (C R) are never used in the proof to construct the derivation, and that the cases (0 L), (0 R), (n[] R) use Lemma 17 applied to a derivation that, inductively, does not contain (Id), (Cut), (C L), (C R). 2 20
Proposition 6 (Id, Cut, and Contraction Elimination) If Γ ` ∆ has a derivation, then there is a derivation that does not use (Id), (Cut), (C L), (C R). Proof If Γ ` ∆ is derivable in the full system, then [[Γ ` ∆]] by Theorem 3 (Soundness). Then, by Theorem 4 (Completeness), Γ ` ∆ has a derivation that does not use (Id), (Cut), (C L), (C R). 2 By combining Theorems 2, 3, and 4 we obtain: Proposition 7 (Decidability) It is decidable whether Γ ` ∆ is derivable. Proof Suppose that Γ = P1 : A1 , ..., Pn : An and ∆ = Q1 : B1 , ..., Qm : Bm . By Theorems 3 (Soundness) and 4 (Completeness), P1 : A1 , ..., Pn : An ` Q1 : B1 , ..., Qm : Bm is derivable if and only if ∧ [[P1 : A1 , . . . , Pn : An ]] ⇒ ∨ [[Q1 : B1 , . . . , Qm : Bm ]]. By Theorem 2 we know that P |= A is decidable. Therefore, we just need to test that either there is an i with Pi 6|= Ai , or there is a j with Qj |= Bj . 2
4.3
A Complete Proof Procedure
The following theorem essentially implies Completeness, and uses Lemma 18 in a similar way, but is not quite as clean as Completeness, since it talks about an algorithm. Moreover, the cases for (. L), (| R) and (n[] R) are harder than in Completeness. On the other hand, the proposition is interesting because it shows that there is a complete proof procedure that actually builds a derivation, unlike the one in Proposition 7. Lemma 20 (More on Finite Test Sets) (1) For any P there is a finite set T (P ) with: ∃P 0 , P 00 .P ≡ P 0 | P 00 ∧ [[Γ ` P 0 : A0 , ∆]] ∧ [[Γ ` P 00 : A00 , ∆]] iff ∃hP 0 , P 00 i ∈ T (P ).[[Γ ` P 0 : A0 , ∆]] ∧ [[Γ ` P 00 : A00 , ∆]]. (2) For any A0 , A00 , there is a finite set T (A0 . A00 ) with: ∃P 0 .[[Γ ` P 0 : A0 , ∆]] ∧ [[Γ, P 0 | P : A00 ` ∆]] iff ∃P 0 ∈ T (A0 . A00 ).[[Γ ` P 0 : A0 , ∆]] ∧ [[Γ, P 0 | P : A00 ` ∆]]. (3) For any P there is a finite set T (n, P ) with: ∃P 0 .P ≡ n[P 0 ] ∧ [[Γ ` P 0 : A0 , ∆]] iff ∃P 0 ∈ T (n, P ).[[Γ ` P 0 : A0 , ∆]]. Proof
By expanding definitions, and appeal to Lemma 16.
2
Theorem 5 (Complete Proof Procedure) For any Γ ` ∆ there is a procedure such that: if ¬[[Γ ` ∆]], then the procedure terminates with failure; if [[Γ ` ∆]], then the procedure terminates with a derivation for Γ ` ∆.
21
Proof We describe the procedure, but omit the proof of correctness, which, in addition to the properties used in the proof of Theorem 4, uses also Lemma 20. The procedure picks nondeterministically any formula in the sequent to operate on. It terminates because at every recursive call it either reduces the total size, size, of the formulas in the sequent, or stops with success or failure. Case size = 0, that is, the empty sequent − ` −. The procedure terminates with failure. Case size ≥ 1, left rules. Subcase Γ, P : F ` ∆. The procedure succeeds with derivation Γ, P : F ` ∆. Subcase Γ, P : A0 ∧ A00 ` ∆. The procedure recurses with Γ, P : A0 , P : A00 ` ∆; if the recursion fails, it fails; if the recursion succeeds with a derivation for Γ, P : A0 , P : A00 ` ∆, it produces a derivation for Γ, P : A0 ∧ A00 ` ∆ by (∧ L). Subcase Γ, P : A0 ⇒ A00 ` ∆. The procedure recurses with Γ ` P : A0 , ∆ and Γ, P : A00 ` ∆; if either recursion fails, the procedure fails. If the recursions succeed with derivations for Γ ` P : A0 , ∆ and Γ, P : A00 ` ∆ the procedure produces a derivation for Γ, P : A0 ⇒ A00 ` ∆ by (⇒ L). Subcase Γ, P : 0 ` ∆. If P 6≡ 0 (a decidable test) the procedure returns with the derivation Γ, P : 0 ` ∆ by (0 L), otherwise it recurses with Γ ` ∆. If the recursion fails, it fails; if it succeeds with a derivation for Γ ` ∆, it returns a derivation for Γ, P : 0 ` ∆ by weakening. Subcase Γ, P : A0 | A00 ` ∆. The procedure computes the finite set T (P ), and for every hP 0 , P 00 i belonging to it, it recurses with Γ, P 0 : A0 , P 00 : A00 ` ∆. If all the recursive calls succeed, the procedure builds a derivation for Γ, P : A0 | A00 ` ∆ by (| L), otherwise it fails. Subcase Γ, P : A0 . A00 ` ∆. The procedure computes the finite set T (A0 . A00 ), and for every P 0 belonging to it, it recurses with Γ ` P 0 : A0 , ∆ and Γ, P 0 | P : A00 ` ∆. If one pair of recursive calls succeeds, the procedure builds a derivation for Γ, P : A0 . A00 ` ∆ by (. L), otherwise it fails. Subcase Γ, P : n[A0 ] ` ∆. The procedure computes the finite set T (n, P ) (which may be empty). For every P 0 belonging to it, the procedure recurses with Γ, P 0 : A0 ` ∆. If all the recursive calls succeed, the procedure builds a derivation for Γ, P : n[A0 ] ` ∆ by (n[] L), otherwise it fails. Subcase Γ, P : A0 @n ` ∆. The procedure recurses with Γ, n[P ] : A0 ` ∆. If the recursive call 22
succeeds, the procedure builds a derivation for Γ, P : A0 @n ` ∆ by (@n L), otherwise it fails. Case size ≥ 1, right rules. Subcase Γ ` P : F, ∆. The procedure recurses with Γ ` ∆. If the recursion fails, the procedure fails. If the recursion succeeds with a derivation for Γ ` ∆, the procedure returns a derivation for Γ ` P : F, ∆ by (F R). Subcase Γ ` P : A0 ∧ A00 , ∆. The procedure recurses with Γ ` P : A0 , ∆ and Γ ` P : A00 , ∆. If both recursive calls succeeds, the procedure builds a derivation for Γ ` P : A0 ∧ A00 , ∆ by (∧ R), otherwise it fails. Subcase Γ ` P : A0 ⇒ A00 , ∆. The procedure recurses with Γ, P : A0 ` P : A00 , ∆. If the recursion fails, it fails; if the recursion succeeds with a derivation for Γ, P : A0 ` P : A00 , ∆, it produces a derivation for Γ, P : A0 ⇒ A00 ` ∆ by (⇒ R). Subcase Γ ` P : 0, ∆. If P ≡ 0 (a decidable test) the procedure returns with the derivation Γ ` P : 0, ∆ by (0 R), otherwise it recurses with Γ ` ∆. If the recursion fails, it fails; if it succeeds with a derivation for Γ ` ∆, it returns a derivation for Γ ` P : 0, ∆ by weakening. Subcase Γ ` P : A0 | A00 , ∆. The procedure computes the finite set T (P ), and for every hP 0 , P 00 i belonging to it, it recurses with Γ ` P 0 : A0 , ∆ and Γ ` P 00 : A00 , ∆. If one pair of recursive calls succeeds, the procedure builds a derivation for Γ ` P : A0 | A00 , ∆ by (| R), otherwise it fails. Subcase Γ ` P : A0 . A00 , ∆. The procedure computes the finite set T (A0 . A00 ), and for every P 0 belonging to it, it recurses with Γ, P 0 : A0 ` P 0 | P : A00 , ∆. If all these recursive calls are successful, the procedure builds a derivation for Γ ` P : A0 . A00 , ∆ by (. R), otherwise it fails. Subcase Γ ` P : n[A0 ], ∆. The procedure computes the finite set T (n, P ). If T (n, P ) is empty, then it recurses with Γ ` ∆; if the recursion fails the procedure fails, and if it succeeds with a derivation for Γ ` ∆, the procedure returns a derivation for Γ ` P : n[A0 ], ∆ by weakening. If T (n, P ) is not empty, then for every P 0 belonging to it, the procedure recurses with Γ ` P 0 : A0 , ∆. If one of the recursive calls succeeds, the procedure builds a derivation for Γ ` P : n[A0 ], ∆ by (n[] R), otherwise it fails. Subcase Γ ` P : A0 @n, ∆. The procedure recurses with Γ ` n[P ] : A0 , ∆. If the recursive call succeeds, the procedure builds a derivation for Γ ` P : A0 @n, ∆ by (@n R), otherwise it fails. 2 23
By combining Lemma 4 and Theorems 3 and 4, we equate the validity problem to a particular proof search problem. Corollary 2 vld(A) if and only if ` 0 : T . A has a derivation. Hence, by Theorem 5, we obtain an algorithm for validity based on deduction.
5
A Language for Manipulating Trees
We describe a typed λ-calculus that manipulates tree data. The type system of this calculus has, at its basis, tree types. Function types are built on top of the tree types in standard higher-order style. The tree types, however, are unusual: they are the formulas of our logic. Therefore, we can write types such as: T → ¬0 ((A ∧ ¬0) | n[B]) → (n[A] | B) Logical operators can be applied only to tree types, not to higher-order types. A subtyping relation is defined between types. On tree types, subtyping is defined as validity of logical implication; that is, A
Luca Cardelli Microsoft Research
Andrew D. Gordon Microsoft Research JFP submission of March 2004 Abstract We consider a propositional spatial logic for finite trees. The logic includes A | B (tree composition), A . B (the implication induced by composition), and 0 (the unit of composition). We show that the satisfaction and validity problems are equivalent, and decidable. The crux of the argument is devising a finite enumeration of trees to consider when deciding whether a spatial implication is satisfied. We introduce a sequent calculus for the logic, and show it to be sound and complete with respect to an interpretation in terms of satisfaction. Finally, we describe a complete proof procedure for the sequent calculus. We envisage applications in the area of logic-based type systems for semistructured data. We describe a small programming language based on this idea.
Contents 1 Introduction
1
2 Ground Propositional Spatial Logic (Review) 2.1 Edge-Labelled Finite Trees . . . . . . . . . . . . . . . . . . . . . 2.2 Logical Formulas and Satisfaction . . . . . . . . . . . . . . . . . . 2.3 Validity of a Formula . . . . . . . . . . . . . . . . . . . . . . . . .
2 3 3 4
3 Deciding Validity by Model Checking 3.1 Bounding the Names to Consider . . . . . . . . . . . . . . . . . . 3.2 Bounding the Sizes to Consider . . . . . . . . . . . . . . . . . . . 3.3 Enumerating Equivalence Classes . . . . . . . . . . . . . . . . . .
5 6 7 13
4 Deciding Validity by Deduction 17 4.1 A Sequent Calculus . . . . . . . . . . . . . . . . . . . . . . . . . . 17 4.2 Soundness and Completeness . . . . . . . . . . . . . . . . . . . . 19 4.3 A Complete Proof Procedure . . . . . . . . . . . . . . . . . . . . 21 5 A Language for Manipulating Trees 5.1 Syntax . . . . . . . . . . . . . . . . . 5.2 Values . . . . . . . . . . . . . . . . . 5.3 Operational Semantics . . . . . . . . 5.4 Type System . . . . . . . . . . . . . 5.5 Examples . . . . . . . . . . . . . . . 6 Conclusions
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
24 25 26 26 27 30 30
1
Introduction
Due to the growing popularity of semistructured data [Bun97], and particularly XML [XML], there is a renewed interest in typed programming languages that can manipulate tree-like data structures. Unfortunately, semistructured data cannot be checked by conventional type systems with sufficient flexibility. More advanced type systems are being proposed that better match the data schemas used with semistructured data [HP00]. In general, we are going to have some tree-like data t, and some description language T that can flexibly describe the shape of the data. We are interested in description languages so flexible that they are akin to logics rather than to type systems. The question is: what is needed to use a description language T as a type system in some programming language that manipulates t data? First of all, the programming language needs to analyze the data, so it needs to check at run-time whether a tree value matches a description. In type system terms this is a run-time typing problem: does tree t have type A. In logical terms this is a satisfaction problem: does tree t satisfy formula A. Second, the programming language needs (most likely) to check at compile time whether a description A is less general than a description B. In terms of type system this is a subtyping test: is type A a subtype of type B. In logic terms this is a validity test: does every tree t satisfying formula A also satisfy formula B. Given both a satisfaction and a validity algorithm, it is then fairly routine to build a type system around the description language, along with an operational semantics obeying standard typing soundness properties. The key problem, though, is to find rich description languages that admit satisfaction and (more crucially) validity algorithms. In the case of XDuce [HP01], for example, these algorithms are found in tree automata theory. We propose here a logic that can be used as a rich description language for tree-like data. It emerges as an application of the novel area of “spatial” logics used for describing data and network structures. The logic of this paper is so expressive that, in fact, satisfaction and validity are equivalent problems (validity can be defined internally). For a restricted version of the spatial logics studied so far, we are able to obtain a validity algorithm, and this is sufficient for language applications. We end this paper by describing a simple language based on these ideas. In a spatial logic, the truth of a formula depends on its location. Models for spatial logics include computational structures such as concurrent objects [CM98], heaps [Rey02, IO01, ORY01], trees [CG01a], graphs [CGG02], and also process calculi such as the π-calculus [CC01, CC02] and the ambient calculus [CG00, CG01b]. Previous applications of spatial logics include specifying and verifying imperative and concurrent programs, and querying semistructured data. The spatial logic of this paper describes properties of finite edge-labelled trees. In our textual notation, n1 [P1 ] | · · · | nk [Pk ] is a tree consisting of k edges, labelled n1 , . . . , nk , leading to k subtrees P1 , . . . , Pk , respectively. Our logic 1
starts with propositional primitives: conjunction A∧B, implication A ⇒ B, and falsity F. To this basis, we add spatial primitives: composition A|B (satisfied by composite trees P | Q where P and Q satisfy A and B, respectively), guarantee A . B (the spatial implication corresponding to composition, satisfied by trees that, whenever composed with any tree that satisfies A, result in trees that satisfy B) and void 0 (the unit of composition, satisfied by the empty tree). We complete the logic with primitives for labelled edges: location n[A] (satisfied by a tree n[P ] if P satisfies A) and placement A@n (satisfied by a tree P if the tree n[P ] satisfies A). We consider the satisfaction problem (whether a given tree satisfies a given formula) and the validity problem (whether every tree satisfies a given formula). Since satisfaction of the guarantee operator A.B is defined as an infinite quantification over all trees, neither problem is obviously decidable. Our first significant result, is that both are, in fact, decidable (Theorem 2). In effect, we show how to decide validity by model checking. The main auxiliary result (Theorem 1) is that we need consider only a finite enumeration of trees when model checking a formula A . B. Subsequently, we introduce a sequent calculus for our spatial logic, and show how to decide validity by deduction in this calculus. The finite enumeration of trees introduced in the first half is built into the right rule for A.B. Our sequent calculus has a standard interpretation in terms of the satisfaction predicate. By appeal to Theorem 1, we show the sequent calculus to be sound (Theorem 3) and complete (Theorem 4) with respect to its interpretation. Moreover, we obtain and verify a complete algorithm for finding proofs in the sequent calculus (Theorem 5). The resulting algorithm for validity is better suited to optimisations than the algorithm based directly on model checking. Section 2 gives formal definitions of our logic and its model. Section 3 develops our first algorithm for validity, based on model checking. Section 4 develops our second algorithm, based on our sequent calculus. Section 5 describes a small programming language for manipulating trees, to illustrate the idea of using spatial logic formulas as programming language types. Section 6 concludes.
2
Ground Propositional Spatial Logic (Review)
This section introduces our spatial logic and its model. First, we define our notation for edge-labelled finite trees. Second, we introduce the formulas of the logic and their semantics: the satisfaction predicate, P |= A, means that the tree P satisfies the formula A. Third, we define the validity predicate, vld(A), to mean P |= A for every tree P . By constructing certain characteristic formulas, we note that satisfaction and validity are interderivable. In a study of a richer spatial logic than the one considered here, Hirschkoff, Lozes, and Sangiorgi [HLS02] also define characteristic formulas for ambient
2
processes, and note equivalences between the satisfaction and validity problems.
2.1
Edge-Labelled Finite Trees
Let m, n range over an infinite set N of names. The model of our logic is the set of edge-labelled trees, finitely branching and of finite depth. Trees: P, Q ::= 0 P |Q m[P ]
tree empty tree composition edge labelled by m, atop tree P 4
Let fn(P ) be the set of names free in P . For any X ⊆ N, let TreeX = {P | fn(P ) ⊆ X}. Structural Equivalence: P ≡ Q P ≡P Q≡P ⇒P ≡Q P ≡ Q, Q ≡ R ⇒ P ≡ R
(Struct Refl) (Struct Symm) (Struct Trans)
P ≡Q⇒P |R≡Q|R P ≡ Q ⇒ M [P ] ≡ M [Q]
(Struct Par) (Struct Amb)
P |Q≡Q|P (P | Q) | R ≡ P | (Q | R) P |0≡P
(Struct Par Comm) (Struct Par Assoc) (Struct Zero Par)
Lemma 1 If P ∈ TreeX and P ≡ Q then Q ∈ TreeX .
2.2
Logical Formulas and Satisfaction
Logical Formulas: A, B ::= F A∧B A⇒B 0 A|B A.B n[A] A@n
formula false conjunction implication void composition guarantee location placement
3
The derived propositional connectives T, ¬A, A ∨ B, are defined in the usual 4 way. Name equality can be defined by m = n = m[T]@n; this formula holds if and only if m = n. We write A{m←m0 } for the outcome of substituting each occurrence of the name m in the formula A with the name m0 . We define the satisfaction predicate, P |= A, as follows. Satisfaction: P |= A P P P P P
|= F never |= A ∧ B |= A ⇒ B |= 0 |= A | B
P |= A . B P |= n[A] P |= A@n
4
P |= A ∧ P |= B P |= A ⇒ P |= B P ≡0 ∃P 0 , P 00 .P ≡ P 0 | P 00 ∧ P 0 |= A ∧ P 00 |= B 4 0 0 = ∀P .P |= A ⇒ P | P 0 |= B 4 = ∃P 0 .P ≡ n[P 0 ] ∧ P 0 |= A 4 = n[P ] |= A
= 4 = 4 = 4 =
A basic property is that structural congruence preserves satisfaction: Lemma 2 If P |= A and P ≡ P 0 then P 0 |= A. Proof
2
An easy induction on the structure of A. 4
It is useful to know that every tree P has a characteristic formula P . Let 0 = 0, 4 4 P | Q = P | Q, and m[P ] = m[P ]. The formula P identifies P up to structural equivalence: Lemma 3 For all P and Q, Q |= P if and only if Q ≡ P . Proof
An easy induction on the structure of P .
2
Now, to turn the definition of satisfaction into an algorithm, that is, to build a model checker for the logic, we must show that the three quantifications in the clauses for A | B, A . B, and n[A] can be reduced to finite problems. It is not hard to reduce the clauses for A | B and n[A] to finite quantifications [CG00], but it seems far from obvious how to reduce satisfaction of A . B to a finite problem. The principal result of the paper, Theorem 1, is that for any A0 , A00 there is a finite set T (A0 . A00 ) such that: P |= A0 . A00 ⇔ ∀P 0 ∈ T (A0 . A00 ).P 0 |= A0 ⇒ P 0 | P |= A00
2.3
Validity of a Formula
The validity predicate, vld(A), means every tree satisfies the formula A.
4
Validity: vld(A) 4
vld(A) = ∀P.P |= A The next two lemmas exhibit formulas to encode validity in terms of satisfaction, and the converse. Lemma 4 (Validity from Satisfaction) vld(A) if and only if 0 |= T . A. Proof With appeal to Lemma 2, we get: vld(A) ⇔ (∀P.P |= A) ⇔ (∀P.P |= T ⇒ P | 0 |= A) ⇔ 0 |= T . A. 2 Lemma 5 (Satisfaction from Validity) P |= A if and only if vld(P ⇒ A). Proof With appeal to Lemmas 2 and 3, we get: vld(P ⇒ A) ⇔ (∀Q.Q |= P ⇒ Q |= A) ⇔ (∀Q.Q ≡ P ⇒ Q |= A) ⇔ P |= A. 2 Hence, the validity and satisfaction problems are equivalent. The goal of the paper is to show both are decidable.
3
Deciding Validity by Model Checking
The crux of our problem is the infinite quantification in the definition of satisfaction for A . B. We bound this infinite quantification in three steps, which lead to an alternative definition in terms of a finite quantification. This leads to a model checking procedure, and hence to an algorithm for validity. • In Section 3.1, we bound the alphabet of distinct names that may occur in trees that need to be considered. Let fn(A) be the set of names occurring free in any formula A. Let m be some other name. Proposition 1 asserts that P |= A . B if and only if Q |= A ⇒ P | Q |= B for all trees Q with edge-labels drawn from the set fn(A) ∪ {m}. • In Section 3.2, we introduce a measure of the size of a tree, and bound both the alphabet and size of trees that need to be considered. Proposition 4 asserts that P |= A . B if and only if Q |= A ⇒ P | Q |= B for all the trees Q smaller than a size determined by A and with edge-labels drawn from a particular finite alphabet. • In Section 3.3, we give a procedure to enumerate a finite set of structural equivalence classes of trees determined by a formula. Theorem 1 asserts that P |= A . B if and only if Q |= A ⇒ P | Q |= B for all the representatives Q of these equivalence classes. Hence, we prove in Theorem 2 that satisfaction, and hence validity, is decidable.
5
3.1
Bounding the Names to Consider
We need the following facts relating substitution with the operators for adding an edge to a tree and for composing trees. Lemma 6 If n ∈ / {m, m0 } then: P {m←m0 } ≡ n[Q] ⇔ ∃P 0 .P ≡ n[P 0 ] ∧ P 0 {m←m0 } ≡ Q Proof P {m←m0 } |= n[Q] ⇔ ∃m00 , P 0 .P ≡ m00 [P 0 ] ∧ m00 {m←m0 } = n ∧ P 0 {m←m0 } ≡ Q ⇔ ∃P 0 .P ≡ n[P 0 ] ∧ P 0 {m←m0 } ≡ Q 2 Lemma 7 P {m←m0 } ≡ Q0 | Q00 ⇔ ∃P 0 , P 00 .P ≡ P 0 | P 00 ∧ P 0 {m←m0 } ≡ Q0 ∧ P 00 {m←m0 } ≡ Q00 Proof
Immediate since substitution preserves the structure of trees.
2
Given these facts we can show that satisfaction of a formula is independent of any name not occurring in the formula. Lemma 8 If m, m0 ∈ / fn(A), P |= A ⇔ P {m←m0 } |= A. Proof cases.
By induction on the structure of A. We only consider the interesting
Case A | B. We have m, m0 ∈ / fn(A) ∪ fn(B). With appeal to Lemma 2 and Lemma 7, and the induction hypothesis, we calculate: P |= A | B ⇔ ∃P 0 , P 00 .P ≡ P 0 | P 00 ∧ P 0 |= A ∧ P 00 |= B ⇔ ∃P 0 , P 00 .P ≡ P 0 | P 00 ∧ P 0 {m←m0 } |= A ∧ P 00 {m←m0 } |= B ⇔ ∃P 0 , P 00 , Q0 , Q00 .P ≡ P 0 | P 00 ∧ Q0 ≡ P 0 {m←m0 } ∧ Q00 ≡ P 00 {m←m0 } ∧ Q0 |= A ∧ Q00 |= B ⇔ ∃Q0 , Q00 .P {m←m0 } ≡ Q0 | Q00 ∧ Q0 |= A ∧ Q00 |= B ⇔ P {m←m0 } |= A | B Case A . B. We have m, m0 ∈ / fn(A) ∪ fn(B). With appeal to the induction hypothesis, we calculate: P |= A . B
⇔ ⇔ ⇔ ⇔ ⇔
∀Q.Q |= A ⇒ P | Q |= B ∀Q.Q |= A ⇒ (P | Q){m←m0 } |= B ∀Q.Q |= A ⇒ (P {m←m0 } | Q){m←m0 }) |= B ∀Q.Q |= A ⇒ P {m←m0 } | Q |= B P {m←m0 } |= A . B 6
Case n[A]. We have m, m0 ∈ / {n} ∪ fn(A). With appeal to Lemma 2 and Lemma 6, and the induction hypothesis, we calculate: P |= n[A] ⇔ ∃P 0 .P ≡ n[P 0 ] ∧ P 0 |= A ⇔ ∃P 0 .P ≡ n[P 0 ] ∧ P 0 {m←m0 } |= A ⇔ ∃P 0 , P 00 .P ≡ n[P 0 ] ∧ P 0 {m←m0 } ≡ P 00 ∧ P 00 |= A ⇔ ∃P 00 .P {m←m0 } ≡ n[P 00 ] ∧ P 00 |= A ⇔ P {m←m0 } |= n[A] Case A@n. We have m, m0 ∈ / {n} ∪ fn(A). With appeal to the induction hypothesis, we calculate: P |= A@n
⇔ ⇔ ⇔ ⇔
n[P ] |= A (n[P ]){m←m0 } |= A n[P {m←m0 }] |= A P {m←m0 } |= A@n 2
This lemma is not true for the logic extended with quantifiers: we have m[]|n[] |= ∃x, y.(x[] | y[]) ∧ x 6= y but m[] | m[] 6|= ∃x, y.(x[] | y[]) ∧ x 6= y. Proposition 1 (Bounding Names) Suppose m ∈ / fn(A . B). Then: P |= A . B ⇔ (∀Q ∈ Treefn(A.B)∪{m} . Q |= A ⇒ P | Q |= B) Proof The forwards direction is immediate. For the backwards direction, assume that (∀Q ∈ Treefn(A.B)∪{m} . Q |= A ⇒ P | Q |= B) and consider any tree Q such that Q |= A. Suppose that fn(P | Q) ⊆ fn(A . B) ∪ {m, n1 , . . . , nk } where {n1 , . . . , nk } ∩ (fn(A . B) ∪ {m}) = ∅. Let P 0 = P {n1 ←m} · · · {nk ←m} and Q0 = Q{n1 ←m} · · · {nk ←m}. By repeated application of Lemma 8, we get that Q |= A ⇔ Q0 |= A. Since Q0 ∈ Treefn(A.B)∪{m} and Q0 |= A, we obtain P | Q0 |= B by assumption. Now, we have: (P | Q0 ){n1 ←m} · · · {nk ←m} = P 0 | Q0 = (P | Q){n1 ←m} · · · {nk ←m} Hence, by repeated application of Lemma 8, we get that P | Q0 |= B ⇔ P | Q0 |= B ⇔ P | Q |= B. Hence P | Q |= B follows. 2 0
3.2
Bounding the Sizes to Consider
We introduce measures of the height and width of both trees and formulas. Definition 1 (Notation) Write a·P for a ≥ 0 copies of P in parallel: P |. . .|P . 7
Definition 2 (Size of Trees) 4 |P |hw = (h, w) iff there are a1 , n1 , P1 , . . . , ak , nk , Pk , for some k, such that: • P ≡ a1 · n1 [P1 ] | . . . | ak · nk [Pk ] • ∀i, j ∈ 1..k. ni [Pi ] ≡ nj [Pj ] ⇒ i = j • (hi , wi ) = |Pi |hw for each i ∈ 1..k • if k = 0, h = 0; otherwise h = 1 + max(h1 , . . . , hk ) • if k = 0, w = 0; otherwise w = max(a1 , . . . , ak , w1 , . . . , wk ) When |P |hw = (h, w), we write |P |h for h and |P |w for w. We write (h1 , w1 ) ≤ (h2 , w2 ) for (h1 ≤ h2 ) ∧ (w1 ≤ w2 ). Intuitively |P |h is the height of P , and |P |w is the width, defined as the maximum multiplicity of the subtrees of P . The multiplicity is the number of structurally equivalent non-empty trees under the same edge. For example: • |0|hw = (0, 0) • |n[0]|hw = (1, 1) • |n[0] | m[0]|hw = (1, 1) • |n[0] | n[0]|hw = (1, 2) • |n[m[0]]|hw = (2, 1) • |n[n[0]]|hw = (2, 1) Next, we define height and width measures for logical formulas. Size of Logical Formulas |F|h |A ∧ B|h |A ⇒ B|h |0|h |A | B|h |A . B|h |n[A]|h |A@n|h
4
= 4 = 4 = 4 = 4 = 4 = 4 = 4 =
|F|w |A ∧ B|w |A ⇒ B|w |0|w |A | B|w |A . B|w |n[A]|w |A@n|w
0 max(|A|h , |B|h ) max(|A|h , |B|h ) 1 max(|A|h , |B|h ) |B|h 1 + |A|h max(|A|h − 1, 0)
4
= 4 = 4 = 4 = 4 = 4 = 4 = 4 =
0 max(|A|w , |B|w ) max(|A|w , |B|w ) 1 |A|w + |B|w |B|w max(2, |A|w ) |A|w
Here are the sizes for the derived propositional connectives: |T|h |¬A|h |A ∨ B|h
4
|T|w |¬A|w |A ∨ B|w
= 0 4 = |A|h 4 = max(|A|h , |B|h ) 8
4
= 0 4 = |A|w 4 = max(|A|w , |B|w )
We define a relation ∼h,w between trees, parameterized by the size (h, w). The main property of the relation is that if P ∼h,w Q then no formula with size (h, w) can distinguish between P and Q (Proposition 2). Definition 3 (Relation P ∼h,w Q) P ∼0,w Q
always
P ∼h+1,w Q ⇔ ∀i ∈ 1..w. ∀n, Pj with j ∈ 1..i. if P ≡ n[P1 ] | · · · | n[Pi ] | Pi+1 then Q ≡ n[Q1 ] | · · · | n[Qi ] | Qi+1 such that Pj ∼h,w Qj for j ∈ 1..i and vice versa Note that ∼h,w is an equivalence relation: reflexivity, symmetry, and transitivity are immediate consequences of the definition. Moreover, it is preserved by structural congruence: Lemma 9 If P ∼h,w Q and Q ≡ R then P ∼h,w R. Proof
2
By an easy induction on h.
The following lemma shows that the relation ∼h,w is monotone in (h, w). Lemma 10 (Monotonicity) If P ∼h,w Q and (h0 , w0 ) ≤ (h, w) then P ∼h0 ,w0 Q. Proof By induction on h. The case h = 0 is immediate. For h + 1, suppose P ∼h+1,w Q and (h0 , w0 ) ≤ (h + 1, w). If h0 = 0 then clearly P ∼h0 ,w0 Q. If h0 = h00 + 1 for some h00 , then consider any i ∈ 1..w0 , n, Pj for j ∈ 1..i such that P ≡ n[P1 ] | · · · | n[Pi ] | Pi+1 Since w0 ≤ w, then i ∈ 1..w, and from P ∼h+1,w Q we have Q ≡ n[Q1 ] | · · · | n[Qi ] | Qi+1 such that Pj ∼h,w Qj for j ∈ 1..i Since (h00 , w0 ) ≤ (h, w), by induction hypothesis we have Pj ∼h00 ,w0 Qj for j ∈ 1..i. This proves P ∼h00 +1,w0 Q, that is, P ∼h0 ,w0 Q. 2 The following lemma shows that the relation ∼h,w is a congruence. Lemma 11 (Congruence) The following hold: (1) If P ∼h,w Q then n[P ] ∼h+1,w n[Q]. (2) If P ∼h,w P 0 and Q ∼h,w Q0 then P | Q ∼h,w P 0 | Q0 . Proof
We prove both parts directly.
9
(1) Suppose P ∼h,w Q. If w = 0 then the conclusion is immediate. Otherwise, consider any i ∈ 1..w, n, Pj for j ∈ 1..i such that n[P ] ≡ n[P1 ] | · · · | n[Pi ] | Pi+1 Then i = 1 and P1 ≡ P and Pi+1 ≡ 0. We have n[Q] ≡ n[Q] | 0, and P1 ∼h,w Q by Lemma 9. This proves n[P ] ∼h+1,w n[Q]. (2) There are two cases. If h = 0 then the conclusion is immediate. For h + 1, suppose P ∼h+1,w P 0 and Q ∼h+1,w Q0 ; then consider any i ∈ 1..w, n, Rj for j ∈ 1..i such that P | Q ≡ n[R1 ] | · · · | n[Ri ] | Ri+1 Suppose without loss of generality that the Rj are ordered in a way that there exist k ∈ 1..i, P† , Q† such that P ≡ n[R1 ] | · · · | n[Rk ] | P† Q ≡ n[Rk+1 ] | · · · | n[Ri ] | Q† Ri+1 ≡ P† | Q† Since k ∈ 1..w, from P ∼h+1,w P 0 we have P 0 ≡ n[P10 ] | · · · | n[Pk0 ] | P†0 such that Rj ∼h,w Pj0 for j ∈ 1..k Similarly, from Q ∼h+1,w Q0 we have Q0 ≡ n[Q0k+1 ] | · · · | n[Q0i ] | Q0† such that Rj ∼h,w Q0j for j ∈ (k + 1)..i Hence, we have P 0 | Q0 ≡ n[P10 ] | · · · | n[Pk0 ] | n[Q0k+1 ] | · · · | n[Q0i ] | P†0 | Q0† Since Rj ∼h,w Pj0 for j ∈ 1..k and Rj ∼h,w Q0j for j ∈ (k + 1)..i, this proves P | Q ∼h+1,w P 0 | Q0 . 2 Lemma 12 (Inversion) If P 0 | P 00 ∼h,w1 +w2 Q then there exist Q0 , Q00 such that Q ≡ Q0 | Q00 and P 0 ∼h,w1 Q0 and P 00 ∼h,w2 Q00 . Proof There are two cases. If h = 0 then the conclusion is immediate. For h + 1, suppose P 0 | P 00 ∼h+1,w1 +w2 Q. Consider the following definition: A tree P is in (h, w)-normal form if whenever P ≡ n[P1 ] | n[P2 ] | P3 for some P1 , P2 , P3 , if P1 ∼h,w P2 then P1 ≡ P2 . Note that P ∼h+1,w n[P1 ] | n[P1 ] | P3 , hence it is always possible to find a P † such that P † is in (h, w)-normal form and P ∼h+1,w P † .
10
We can assume without loss of generality that P 0 and P 00 are in (h, w)-normal form, and by Lemma 10 that Q is in (h, w)-normal form. Hence, there exist k, Pj , a0j , a00j , bj for j ∈ 1..k such that P 0 ≡ a01 · n1 [P1 ] | · · · | a0k · nk [Pk ] P 00 ≡ a001 · n1 [P1 ] | · · · | a00k · nk [Pk ] Q ≡ b1 · n1 [P1 ] | · · · | bk · nk [Pk ] where if Pi ∼h,w Pj and ni = nj then i = j. To split Q into two parts, we now specify how to split each bi , for i ∈ 1..k, into b0i and b00i , such that: a0i a00i
bi = b0i + b00i · ni [Pi ] ∼h+1,w1 b0i · ni [Pi ] · ni [Pi ] ∼h+1,w2 b00i · ni [Pi ]
For each i ∈ 1..k, we choose b0i and b00i according to the following cases: • Case a0i + a00i < w1 + w2 . Then P 0 | P 00 ∼h+1,w Q implies bi = a0i + a00i , so we can choose b0i = a0i and b00i = a00i . • Case a0i + a00i ≥ w1 + w2 . Then P 0 | P 00 ∼h+1,w Q implies bi ≥ w1 + w2 . There are three subcases: – Subcase a0i ≥ w1 and a00i ≥ w2 . Then we choose b0i = w1 and b00i = bi −w1 (note that b00i is saturated, that is, b00i ≥ w2 , since bi ≥ w1 +w2 ). – Subcase a0i < w1 . We must have a00i ≥ w2 . Then we choose b0i = a0i and b00i = bi − a0i . So b00i ≥ w2 since bi ≥ w1 + w2 and b0i < w1 . – Subcase a00i < w2 . This is symmetric to the previous case. We must have a0i ≥ w1 . We choose b00i = a00i and b0i = bi − a00i . So b0i ≥ w1 since bi ≥ w1 + w2 and b00i < w2 . Now we define Q0 and Q00 as follows: Q0 ≡ b01 · n1 [P1 ] | · · · | b0k · nk [Pk ]
Q00 ≡ b001 · n1 [P1 ] | · · · | b00k · nk [Pk ]
We have Q ≡ Q0 | Q00 , and by repeated application of Lemma 11 we get P 0 ∼h+1,w1 Q0 and P 00 ∼h+1,w2 Q00 . 2 Proposition 2 If |A|hw = (h, w) and P |= A and P ∼h,w Q then Q |= A. Proof cases.
By induction on the structure of A. We consider only some interesting
Case 0. Suppose P |= 0 and P ∼1,1 Q. Then P ≡ 0. Since P ∼1,1 Q, if Q ≡ n[Q1 ] | Q2 for some n, Q1 , Q2 then P ≡ n[P1 ] | P2 for some P1 , P2 . Hence Q ≡ 0; thus Q |= 0.
11
Case A1 | A2 . Suppose |Ai |hw = (hi , wi ) for i = 1, 2 and P |= A1 | A2 . We have |(A1 | A2 )|hw = (max(h1 , h2 ), w1 + w2 ) and there exist P1 , P2 such that P ≡ P1 | P2 and Pi |= Ai for i = 1, 2. Then by Lemma 12 there exist Q1 , Q2 such that Q ≡ Q1 | Q2 and Pi ∼max(h1 ,h2 ),wi Qi for i = 1, 2. Then Pi ∼hi ,wi Qi for i = 1, 2 by Lemma 10, hence Qi |= Ai for i = 1, 2 by induction hypothesis. This proves Q |= A1 | A2 . Case A . B. Suppose |B|hw = (h, w) and P |= A.B. We have |A.B|hw = (h, w) and P ∼h,w Q. Consider any P1 such that P1 |= A; then P | P1 |= B. Since P ∼h,w Q and P1 ∼h,w P1 we have P | P1 ∼h,w Q | P1 by Lemma 11. Hence Q | P1 |= B by induction hypothesis. This proves Q |= A . B. Case n[A]. Suppose |A|hw = (h, w). We have |n[A]|hw = (h + 1, max(w, 2)) and P ∼h+1,max(w,2) Q and P |= n[A]. Then there exists P 0 such that P ≡ n[P 0 ] and P 0 |= A. From P ∼h+1,max(w,2) Q we deduce that there exists Q0 such that Q ≡ n[Q0 ] and P 0 ∼h,max(w,2) Q0 . Lemma 10 implies P 0 ∼h,w Q0 , and by induction hypothesis we have Q0 |= A. This proves Q |= n[A]. Case A@n. Suppose |A|hw = (h, w). We have |A@n|hw = (max(h − 1, 0), w) and P ∼max(h−1,0),w Q. If h > 0 then we have n[P ] ∼h,w n[Q] by Lemma 11. If h = 0 then n[P ] ∼h,w n[Q] is immediate. With appeal to the induction hypothesis, we calculate: P |= A@n
⇔ n[P ] |= A ⇔ n[Q] |= A ⇔ Q |= A@n 2
The following lemma shows that each equivalence class determined by ∼h,w contains a tree of size bounded by (h, w). Lemma 13 (Pruning) For all P ∈ TreeX , h, w there exists P 0 ∈ TreeX such that P ∼h,w P 0 and |P 0 |hw ≤ (h, w). Proof We describe how to construct P 0 by induction on h. For h = 0 define 4 P 0 = 0. For h + 1, suppose P ≡ n1 [P1 ] | · · · | nk [Pk ], for some k and nj , Pj with j ∈ 1..k. Let Pj0 , for j ∈ 1..k, be the tree obtained by pruning Pj to size 4
h, w. Define Q = n1 [P10 ] | · · · | nk [Pk0 ]. We can write Q in a canonical form with respect to ≡, that is, there exist i and aj , mj , Qj for j ∈ 1..i such that Q ≡ a1 · m1 [Q1 ] | · · · | ai · mi [Qi ] and, for all j, j 0 ∈ 1..i, if mj [Qj ] ≡ mj 0 [Qj 0 ] 4 then j = j 0 . For each j ∈ 1..i, define bi = min(ai , w). Then we can define 4 P 0 = b1 · m1 [Q1 ] | · · · | bi · mi [Qi ]. It is easy to see that |P 0 |hw ≤ (h + 1, w) and P ∼h+1,w P 0 . 2
12
Proposition 3 (Bounding Size) For any tree P , set of names X and formulas A and B, if h = max(|A|h , |B|h ) and w = max(|A|w , |B|w ) then (∀Q ∈ TreeX . Q |= A ⇒ P | Q |= B) ⇔ (∀Q ∈ TreeX . |Q|hw ≤ (h, w) ∧ Q |= A ⇒ P | Q |= B) Proof The forwards direction is immediate. For the backwards direction, assume that the right hand side holds. Take any Q ∈ TreeX such that Q |= A. Then we have: ∃Q0 . Q ∼h,w Q0 ∧ |Q0 |hw ≤ (h, w) by Lemma 13 Q ∼|A|h ,|A|w Q0 by Lemma 10 since |A|hw ≤ (h, w) Q0 |= A by Proposition 2 P | Q0 |= B by assumption P | Q ∼h,w P | Q0 by Lemma 11 P | Q ∼|B|h ,|B|w P | Q0 by Lemma 10 since |B|hw ≤ (h, w) P | Q |= B by Proposition 2 2 Proposition 4 (Bounding Size and Names) For any tree P and formulas A and B, if m ∈ / fn(A . B) and X = fn(A . B) ∪ {m} and h = max(|A|h , |B|h ) and w = max(|A|w , |B|w ), then: P |= A . B ⇔ (∀Q ∈ TreeX . |Q|hw ≤ (h, w) ∧ Q |= A ⇒ P | Q |= B) Proof
We have: P |= A . B ⇔ (∀Q ∈ TreeX . Q |= A ⇒ P | Q |= B) ⇔ (∀Q ∈ TreeX . |Q|hw ≤ (h, w) ∧ Q |= A ⇒ P | Q |= B)
Proposition 1 justifies the first step, Proposition 3 the second.
2
So, to check satisfaction of A . B, we need only consider trees whose free names are drawn from fn(A.B)∪{m}, and whose size is bounded by max(|A|hw , |A|hw ). We show in the next section, that the number of such trees, modulo structural equivalence, is finite. Hence, we obtain an algorithm for satisfaction of A . B.
3.3
Enumerating Equivalence Classes
In this section we present an explicit characterization of the equivalence classes on trees, modulo structural equivalence, determined by ∼h,w . Definition 4 (Notation) Consider the following notation, where metavariable
13
c ranges over sets of trees modulo structural congruence: hP i≡ hP ih,w c1 + c2 n[c] c≤n
4
= 4 = 4 = 4 = 4 =
{P 0 | P ≡ P 0 } {P 0 | P ∼h,w P 0 } c1 ∪ c2 {hn[P ]i≡ | hP i≡ ∈ c} {ha1 · P1 | · · · | ak · Pk i≡ | 0 ≤ ai ≤ n for i ∈ 1..k} when c = {hP1 i≡ , . . . , hPk i≡ }
We can now give a direct definition of the set of equivalence classes EQX h,w determined by ∼h,w , given a set of names X. Definition 5 If X = {n1 , . . . , nk }, define EQX h,w as follows: 4
EQX 0,w
= {h0i≡ }
EQX h+1,w
=
4
X ≤w (n1 [EQX h,w ] + · · · + nk [EQh,w ])
Lemma 14 If |P |hw ≤ (h, w) and |P 0 |hw ≤ (h, w), then (1) P ∈ TreeX implies hP i≡ ∈ EQX h,w . (2) P ≡ P 0 ⇐⇒ P ∼h,w P 0 . Proof Part (1) is a simple induction on h. For Part (2), the interesting direction is ⇐. We proceed by induction on h. If h = 0 then |P |h = |Q|h = 0, hence P ≡ Q ≡ 0. For the case h + 1, suppose |P |hw ≤ (h + 1, w) and |P 0 |hw ≤ (h + 1, w) and P ∼h+1,w P 0 . Write P and P 0 in canonical form with respect to ≡, that is, there exist k and aj , a0j , nj , Pj for j ∈ 1..k such that P 0 ≡ a01 · n1 [P1 ] | · · · | a0k · nk [Pk ]
P ≡ a1 · n1 [P1 ] | · · · | ak · nk [Pk ]
where, for all i, j ∈ 1..k, if ni [Pi ] ≡ nj [Pj ] then i = j. Since |P |hw ≤ (h + 1, w) and |P 0 |hw ≤ (h + 1, w) we have aj ≤ w and a0j ≤ w for each j ∈ 1..k. For each i ∈ 1..k we show ai ≤ a0i : There exists P† such that P ≡ ai · ni [Pi ] | P † . Then by definition of P ∼h+1,w P 0 there exist P10 , . . . , Pa0 i , P†0 such that P 0 ≡ ni [P10 ] | · · · | ni [Pa0 i ] | P†0 and Pi ∼h,w Pj0 for j ∈ 1..ai . By induction hypothesis we have Pi ≡ Pj0 for each j ∈ 1..ai , hence P 0 ≡ ai · ni [Pi ] | P†0 . This proves ai ≤ a0i . With a symmetric argument we can show a0i ≤ ai for each i ∈ 1..k. This proves P ≡ P 0. 2 The following lemma shows that EQX h,w contains exactly the trees (modulo ≡) of size at most (h, w) with free names drawn from X. 14
hw Lemma 15 hP i≡ ∈ EQX ≤ (h, w). h,w ⇔ P ∈ TreeX ∧ |P | hw Proof By construction, if hP i≡ ∈ EQX ≤ (h, w). h,w then P ∈ TreeX and |P | The converse follows from Lemma 14. 2
The following proposition shows that EQX h,w is an enumeration of the representatives of the equivalence classes in TreeX / ∼h,w . Proposition 5 The function f : TreeX → TreeX / ∼h,w sending P to hP ih,w extends to a bijection f 0 : EQX h,w → TreeX / ∼h,w . Proof Let f 0 be the function sending hP i≡ to hP ih,w . Clearly f 0 is well defined since P ≡ P 0 implies P ∼h,w P 0 . To show that f 0 is surjective, take any hP ih,w ∈ TreeX / ∼h,w . By lemma 13 there exists P 0 ∈ TreeX such that P ∼h,w P 0 and |P 0 |hw ≤ (h, w). So hP 0 ih,w = hP ih,w and hP 0 i≡ ∈ EQX h,w by lemma 14. To show that f 0 is injective, consider any P, Q ∈ TreeX with hP i≡ , hQi≡ ∈ hw EQX ≤ (h, w) and |Q|hw ≤ (h, w) by h,w and hP ih,w = hQih,w . Then |P | Lemma 15, hence P ≡ Q by Lemma 14. This proves hP i≡ = hQi≡ . 2 Theorem 1 (Finite Bound) Consider any formulas A and B. Let EQX h,w = {hQ1 i≡ , . . . , hQn i≡ }, where h = max(|A|h , |B|h ) and w = max(|A|w , |B|w ) and X = fn(A . B) ∪ {m} for some m ∈ / fn(A . B). Then, for any tree P : P |= A . B ⇔ (∀i ∈ 1..n. Qi |= A ⇒ P | Qi |= B) Proof
Using Proposition 4, Lemma 15, and Lemma 2: P |= A . B ⇔ (∀Q ∈ TreeX . |Q|hw ≤ (h, w) ∧ Q |= A ⇒ P | Q |= B) ⇔ (∀Q. hQi≡ ∈ EQX h,w ∧ Q |= A ⇒ P | Q |= B) ⇔ (∀Q. (∃i ∈ 1..n. Q ≡ Qi ) ∧ Q |= A ⇒ P | Q |= B) ⇔ (∀i ∈ 1..n. ∀Q. Q ≡ Qi ∧ Q |= A ⇒ P | Q |= B) ⇔ (∀i ∈ 1..n. Qi |= A ⇒ P | Q |= B) 2
Given this result, we can now show that each of the three quantifications in the definition of satisfaction can be reduced to a finite problem. Finite Test Sets: T (P ), T (A . B), and T (n, P ) T (P ) is the finite non-empty set {hQ, Ri | P ≡ Q | R}/(≡ × ≡). h h T (A . B) is the finite non-empty set EQX h,w ,where h = max(|A| , |B| ) w w and w = max(|A| , |B| )and X = fn(A . B) ∪ {m} for some m ∈ / fn(A . B). T (n, P ) is the finite, possibly empty, set {Q | P ≡ n[Q]}/ ≡.
15
Lemma 16 (1) For any P , P |= A0 | A00 ⇔ ∃hP 0 , P 00 i ∈ T (P ).P 0 |= A0 ∧ P 00 |= A00 . (2) For any A, B, P |= A . B ⇔ ∀Q ∈ T (A . B).Q |= A ⇒ Q | P |= B. (3) For any P , P |= n[A0 ] ⇔ ∃P 0 ∈ T (n, P ).P 0 |= A0 . Proof Part (2) follows at once from Theorem 1. The other parts follow easily, as in earlier work [CG00]. 2 Theorem 2 Satisfaction and validity are interderivable and decidable. Proof As noted in Section 2, Lemmas 4 and 5 establish the equivalence of satisfaction and validity. An algorithm for satisfaction follows from the rules of its definition in Section 2, together with the facts in Lemma 16. 2 Validity is defined in terms of an infinite quantification over trees. We end with a corollary of Lemma 4 and Theorem 1, which reduces validity to a finite quantification over a computable sequence of trees. Hence, we obtain an explicit algorithm for validity. Corollary 1 Consider any formula A. Suppose EQX h,w = {hP1 i≡ , . . . , hPn i≡ }, where (h, w) = |A|hw and X = fn(A) ∪ {m} for some m ∈ / fn(A). Then vld(A) ⇔ (∀i ∈ 1..n. Pi |= A) It is straightforward to implement the algorithms for satisfaction and validity suggested above. However, they are of limited practical interest, since the size of EQX h,w is not elementary (not bounded by any tower of exponentials) in the worst case. The only lower bound we know is PSPACE. Still, the algorithm terminates in a reasonable time on small formulas. Here is a selection of formulas found to be valid by our implementation. • (0 ∨ p[0]) | ¬(p[0]) • q[¬0] . ¬(0) • ¬((q[q[0]] | q[0])@q) • (T . ¬((q[0] ∨ T) . 0))@q • ((0 ∨ p[0])@p)@p@p • (¬(p[T]) ∨ ¬(q[T]))@q • p[T] . (p[T] | T) • ¬(p[T] . 0) • ¬(T | (T . q[0])@q) 16
• (T | (¬(0) ∨ 0)) | T • (T | q[T])@q ∨ 0 To see why, for example, that the formula (0∨p[0])|¬(p[0]) is valid, consider any process P . Either P |= p[0] or not. If so, we have P ≡ P |0, and P |= 0∨p[0] and 0 |= ¬(p[0]). If not, we have P ≡ 0 | P , and 0 |= 0 ∨ p[0] and P |= ¬(p[0]). So, in either case, the process satisfies (0 ∨ p[0]) | ¬(p[0]).
4
Deciding Validity by Deduction
We present a sequent calculus for our spatial logic, following the pattern of Caires and Cardelli [CC02]. We show the calculus to be sound and complete with respect to an interpretation in terms of the satisfaction relation, and present a complete proof procedure. Hence, we obtain an algorithm for deciding validity by deduction in the sequent calculus.
4.1
A Sequent Calculus
A context, Γ or ∆, is a finite multiset of entries of the form P : A where P is a tree and A is a formula. A sequent is a judgment Γ ` ∆ where Γ and ∆ are contexts. The following table states the rules for deriving sequents. The rules depend on the finite test sets T (P ), T (A . B), and T (n, P ) introduced in Section 3. All that matters for the purpose of this section is that these sets are computable and that they satisfy the properties stated in Lemma 16. Hence, this is a finitary proof system; note the form of the rules (| L), (. R), and (n[] L). Rules of the Sequent Calculus: (Id) P ≡Q Γ, P : A ` Q : A, ∆
(Cut) Γ ` P : A, ∆ Γ, P : A ` ∆ Γ`∆
(C L) Γ, P : A, P : A ` ∆ Γ, P : A ` ∆
(C R) Γ ` P : A, P : A, ∆ Γ ` P : A, ∆
(F L)
(F R) Γ`∆ Γ ` P : F, ∆
Γ, P : F ` ∆ (∧ L) Γ, P : A, P : B ` ∆ Γ, P : A ∧ B ` ∆
(∧ R) Γ ` P : A, ∆ Γ ` P : B, ∆ Γ ` P : A ∧ B, ∆
17
(⇒ L) Γ ` P : A, ∆ Γ, P : B ` ∆ Γ, P : A ⇒ B ` ∆ (0 L) P 6≡ 0 Γ, P : 0 ` ∆
(⇒ R) Γ, P : A ` P : B, ∆ Γ ` P : A ⇒ B, ∆ (0 R) P ≡0 Γ ` P : 0, ∆
(| L) ∀hQ, Ri ∈ T (P ). Γ, Q : A, R : B ` ∆ Γ, P : A | B ` ∆ (| R) Γ ` Q : A, ∆ Γ ` R : B, ∆ P ≡ Q | R Γ ` P : A | B, ∆ (. L) Γ ` Q : A, ∆ Γ, Q | P : B ` ∆ Γ, P : A . B ` ∆
(. R) ∀Q ∈ T (A . B). Γ, Q : A ` Q|P : B, ∆ Γ ` P : A . B, ∆
(n[] L) ∀Q ∈ T (n, P ). Γ, Q : A ` ∆ Γ, P : n[A] ` ∆
(n[] R) Γ ` Q : A, ∆ P ≡ n[Q] Γ ` P : n[A], ∆ (@n R) Γ ` n[P ] : A, ∆ Γ ` P : A@n, ∆
(@n L) Γ, n[P ] : A ` ∆ Γ, P : A@n ` ∆
The variables Q, R in (| L) and the variable Q in (. R) cannot occur free (in a formalistic reading) in Γ, P , ∆. Compare the side conditions on these rules in Caires and Cardelli [CC02]. Here, these are meta-level variables ranging over terms, so there is no need for such side conditions. Note that (n[] L) applies also when T (n, P ) is empty (something that never happens for (| L)), so we can conclude, for example, Γ, 0 : n[A] ` ∆. The fact that T (n, P ) may be empty explains also the irregular form of clause (n[] R) of Lemma 18 below. Lemma 17 (Weakening) If Γ ` ∆ is derivable, then Γ, P : A ` ∆ and Γ ` P : A, ∆ are derivable. Moreover, if there is a derivation of Γ ` ∆ free of (Id), (Cut), (C L), (C R), then there are derivations of Γ, P : A ` ∆ and Γ ` P : A, ∆ free of (Id), (Cut), (C L), (C R). Proof By induction on the derivation of Γ ` ∆. The second part of the statement comes from inspection of the cases different from (Id), (Cut), (C L), (C R). 2
18
4.2
Soundness and Completeness
We make a conventional interpretation of sequents: ∧ ∨
4
[[P1 : A1 , ..., Pn : An ]] = P1 |= A1 ∧ . . . ∧ Pn |= An 4
[[Q1 : B1 , ..., Qm : Bm ]] = Q1 |= B1 ∨ . . . ∨ Qm |= Bm [[Γ ` ∆]]
4
=
∧
[[Γ]] ⇒ ∨ [[∆]]
To prove soundness and completeness of the sequent calculus, we need the following two lemmas. Lemma 18 (Validity of Antecedents) (F L) [[Γ, P : F ` ∆]] (F R) [[Γ ` P : F, ∆]] iff [[Γ ` ∆]] (∧ L) [[Γ, P : A0 ∧ A00 ` ∆]] iff [[Γ, P : A0 , P : A00 ` ∆]] (∧ R) [[Γ ` P : A0 ∧ A00 , ∆]] iff [[Γ ` P : A0 , ∆]] ∧ [[Γ ` P : A00 , ∆]] (∨ L) [[Γ, P : A0 ∨ A00 ` ∆]] iff [[Γ ` P : A0 , ∆]] ∧ [[Γ, P : A00 ` ∆]] (∨ R) [[Γ ` P : A0 ∨ A00 , ∆]] iff [[Γ, P : A0 ` P : A00 , ∆]] (0 L) [[Γ, P : 0 ` ∆]] iff P ≡ 0 ⇒ [[Γ ` ∆]] (0 R) [[Γ ` P : 0, ∆]] iff P 6≡ 0 ⇒ [[Γ ` ∆]] (| L) [[Γ, P : A0 | A00 ` ∆]] iff ∀P 0 , P 00 .P ≡ P 0 | P 00 ⇒ [[Γ, P 0 : A0 , P 00 : A00 ` ∆]] (| R) [[Γ ` P : A0 | A00 , ∆]] iff ∃P 0 , P 00 .P ≡ P 0 | P 00 ∧ [[Γ ` P 0 : A0 , ∆]] ∧ [[Γ ` P 00 : A00 , ∆]] (. L) [[Γ, P : A0 . A00 ` ∆]] iff ∃P 0 .[[Γ ` P 0 : A0 , ∆]] ∧ [[Γ, P 0 | P : A00 ` ∆]] (. R) [[Γ ` P : A0 . A00 , ∆]] iff ∀P 0 .[[Γ, P 0 : A0 ` P 0 | P : A00 , ∆]] (n[] L) [[Γ, P : n[A0 ] ` ∆]] iff ∀P 0 .P ≡ n[P 0 ] ⇒ [[Γ, P 0 : A0 ` ∆]] (n[] R) [[Γ ` P : n[A0 ], ∆]] iff (∀P 0 .P 6≡ n[P 0 ]∧[[Γ ` ∆]])∨(∃P 0 .P ≡ n[P 0 ]∧[[Γ ` P 0 : A0 , ∆]]) (@n L) [[Γ, P : A0 @n ` ∆]] iff [[Γ, n[P ] : A0 ` ∆]] (@n R) [[Γ ` P : A0 @n, ∆]] iff [[Γ ` n[P ] : A0 , ∆]] Proof
By detailed, but straightforward, calculations.
19
2
Lemma 19 (Finite Test Sets) (1) For any P there is a finite set T (P ) with: ∀P 0 , P 00 .P ≡ P 0 | P 00 ⇒ [[Γ, P 0 : A0 , P 00 : A00 ` ∆]] iff ∀hP 0 , P 00 i ∈ T (P ).[[Γ, P 0 : A0 , P 00 : A00 ` ∆]]. (2) For any A0 , A00 , there is a finite set T (A0 . A00 ) with: ∀P 0 .[[Γ, P 0 : A0 ` P 0 | P : A00 , ∆]] iff ∀P 0 ∈ T (A0 . A00 ).[[Γ, P 0 : A0 ` P 0 | P : A00 , ∆]]. (3) For any P there is a finite set T (n, P ) with: ∀P 0 .P ≡ n[P 0 ] ⇒ [[Γ, P 0 : A0 ` ∆]] iff ∀P 0 ∈ T (n, P ).[[Γ, P 0 : A0 ` ∆]]. Proof
By expanding definitions, and appeal to Lemma 16.
2
Theorem 3 (Soundness) If Γ ` ∆ is derivable, [[Γ ` ∆]]. Proof
By induction on the derivation of Γ ` ∆.
2
Theorem 4 (Completeness) If [[Γ ` ∆]], then Γ ` ∆ has a derivation. Moreover, it has a derivation that does not use (Id), (Cut), (C L), (C R). Proof By induction on the sum of the sizes of all the formulas in Γ ` ∆. The interesting cases are (| L), (n[] L) and, particularly, (. R), relying on Lemma 19. These are the only cases we show. Subcase [[Γ, P : A0 | A00 ` ∆]]. By Lemma 18(| L) we have ∀P 0 , P 00 .P ≡ P 0 | P 00 ⇒ [[Γ, P 0 : A0 , P 00 : A00 ` ∆]]. By Lemma 19(1) there is a finite set T (P ) such that ∀hP 0 , P 00 i ∈ T (P ).[[Γ, P 0 : A0 , P 00 : A00 ` ∆]]. By IndHyp, ∀hP 0 , P 00 i ∈ T (P ).Γ, P 0 : A0 , P 00 : A00 ` ∆ has a derivation. Hence by (| L) we can construct a (finite) derivation for Γ, P : A0 | A00 ` ∆. Subcase [[Γ, P : n[A0 ] ` ∆]]. By Lemma 18(n[] L) we have ∀P 0 .P ≡ n[P 0 ] ⇒ [[Γ, P 0 : A0 ` ∆]]. By Lemma 19(3) there is a finite set T (n, P ) such that ∀P 0 ∈ T (n, P ).[[Γ, P 0 : A0 ` ∆]]. By IndHyp, ∀P 0 ∈ T (n, P ).Γ, P 0 : A0 ` ∆ has a derivation. Hence by (n[] L) we can construct a (finite) derivation for Γ, P : n[A0 ] ` ∆. Subcase [[Γ ` P : A0 . A00 , ∆]]. By Lemma 18(. R) we have ∀P 0 .[[Γ, P 0 : A0 ` P 0 | P : A00 , ∆]]. By Lemma 19(2) there is a finite set T (A0 . A00 ) such that ∀P 0 ∈ T (A0 . A00 ).[[Γ, P 0 : A0 ` P 0 | P : A00 , ∆]]. By IndHyp, ∀P 0 ∈ T (A0 . A00 ).Γ, P 0 : A0 ` P 0 | P : A00 , ∆ has a derivation. Hence by (. R) we can construct a (finite) derivation for Γ ` P : A0 . A00 , ∆. For the second part of the statement, it is sufficient to note that the rules (Id), (Cut), (C L), (C R) are never used in the proof to construct the derivation, and that the cases (0 L), (0 R), (n[] R) use Lemma 17 applied to a derivation that, inductively, does not contain (Id), (Cut), (C L), (C R). 2 20
Proposition 6 (Id, Cut, and Contraction Elimination) If Γ ` ∆ has a derivation, then there is a derivation that does not use (Id), (Cut), (C L), (C R). Proof If Γ ` ∆ is derivable in the full system, then [[Γ ` ∆]] by Theorem 3 (Soundness). Then, by Theorem 4 (Completeness), Γ ` ∆ has a derivation that does not use (Id), (Cut), (C L), (C R). 2 By combining Theorems 2, 3, and 4 we obtain: Proposition 7 (Decidability) It is decidable whether Γ ` ∆ is derivable. Proof Suppose that Γ = P1 : A1 , ..., Pn : An and ∆ = Q1 : B1 , ..., Qm : Bm . By Theorems 3 (Soundness) and 4 (Completeness), P1 : A1 , ..., Pn : An ` Q1 : B1 , ..., Qm : Bm is derivable if and only if ∧ [[P1 : A1 , . . . , Pn : An ]] ⇒ ∨ [[Q1 : B1 , . . . , Qm : Bm ]]. By Theorem 2 we know that P |= A is decidable. Therefore, we just need to test that either there is an i with Pi 6|= Ai , or there is a j with Qj |= Bj . 2
4.3
A Complete Proof Procedure
The following theorem essentially implies Completeness, and uses Lemma 18 in a similar way, but is not quite as clean as Completeness, since it talks about an algorithm. Moreover, the cases for (. L), (| R) and (n[] R) are harder than in Completeness. On the other hand, the proposition is interesting because it shows that there is a complete proof procedure that actually builds a derivation, unlike the one in Proposition 7. Lemma 20 (More on Finite Test Sets) (1) For any P there is a finite set T (P ) with: ∃P 0 , P 00 .P ≡ P 0 | P 00 ∧ [[Γ ` P 0 : A0 , ∆]] ∧ [[Γ ` P 00 : A00 , ∆]] iff ∃hP 0 , P 00 i ∈ T (P ).[[Γ ` P 0 : A0 , ∆]] ∧ [[Γ ` P 00 : A00 , ∆]]. (2) For any A0 , A00 , there is a finite set T (A0 . A00 ) with: ∃P 0 .[[Γ ` P 0 : A0 , ∆]] ∧ [[Γ, P 0 | P : A00 ` ∆]] iff ∃P 0 ∈ T (A0 . A00 ).[[Γ ` P 0 : A0 , ∆]] ∧ [[Γ, P 0 | P : A00 ` ∆]]. (3) For any P there is a finite set T (n, P ) with: ∃P 0 .P ≡ n[P 0 ] ∧ [[Γ ` P 0 : A0 , ∆]] iff ∃P 0 ∈ T (n, P ).[[Γ ` P 0 : A0 , ∆]]. Proof
By expanding definitions, and appeal to Lemma 16.
2
Theorem 5 (Complete Proof Procedure) For any Γ ` ∆ there is a procedure such that: if ¬[[Γ ` ∆]], then the procedure terminates with failure; if [[Γ ` ∆]], then the procedure terminates with a derivation for Γ ` ∆.
21
Proof We describe the procedure, but omit the proof of correctness, which, in addition to the properties used in the proof of Theorem 4, uses also Lemma 20. The procedure picks nondeterministically any formula in the sequent to operate on. It terminates because at every recursive call it either reduces the total size, size, of the formulas in the sequent, or stops with success or failure. Case size = 0, that is, the empty sequent − ` −. The procedure terminates with failure. Case size ≥ 1, left rules. Subcase Γ, P : F ` ∆. The procedure succeeds with derivation Γ, P : F ` ∆. Subcase Γ, P : A0 ∧ A00 ` ∆. The procedure recurses with Γ, P : A0 , P : A00 ` ∆; if the recursion fails, it fails; if the recursion succeeds with a derivation for Γ, P : A0 , P : A00 ` ∆, it produces a derivation for Γ, P : A0 ∧ A00 ` ∆ by (∧ L). Subcase Γ, P : A0 ⇒ A00 ` ∆. The procedure recurses with Γ ` P : A0 , ∆ and Γ, P : A00 ` ∆; if either recursion fails, the procedure fails. If the recursions succeed with derivations for Γ ` P : A0 , ∆ and Γ, P : A00 ` ∆ the procedure produces a derivation for Γ, P : A0 ⇒ A00 ` ∆ by (⇒ L). Subcase Γ, P : 0 ` ∆. If P 6≡ 0 (a decidable test) the procedure returns with the derivation Γ, P : 0 ` ∆ by (0 L), otherwise it recurses with Γ ` ∆. If the recursion fails, it fails; if it succeeds with a derivation for Γ ` ∆, it returns a derivation for Γ, P : 0 ` ∆ by weakening. Subcase Γ, P : A0 | A00 ` ∆. The procedure computes the finite set T (P ), and for every hP 0 , P 00 i belonging to it, it recurses with Γ, P 0 : A0 , P 00 : A00 ` ∆. If all the recursive calls succeed, the procedure builds a derivation for Γ, P : A0 | A00 ` ∆ by (| L), otherwise it fails. Subcase Γ, P : A0 . A00 ` ∆. The procedure computes the finite set T (A0 . A00 ), and for every P 0 belonging to it, it recurses with Γ ` P 0 : A0 , ∆ and Γ, P 0 | P : A00 ` ∆. If one pair of recursive calls succeeds, the procedure builds a derivation for Γ, P : A0 . A00 ` ∆ by (. L), otherwise it fails. Subcase Γ, P : n[A0 ] ` ∆. The procedure computes the finite set T (n, P ) (which may be empty). For every P 0 belonging to it, the procedure recurses with Γ, P 0 : A0 ` ∆. If all the recursive calls succeed, the procedure builds a derivation for Γ, P : n[A0 ] ` ∆ by (n[] L), otherwise it fails. Subcase Γ, P : A0 @n ` ∆. The procedure recurses with Γ, n[P ] : A0 ` ∆. If the recursive call 22
succeeds, the procedure builds a derivation for Γ, P : A0 @n ` ∆ by (@n L), otherwise it fails. Case size ≥ 1, right rules. Subcase Γ ` P : F, ∆. The procedure recurses with Γ ` ∆. If the recursion fails, the procedure fails. If the recursion succeeds with a derivation for Γ ` ∆, the procedure returns a derivation for Γ ` P : F, ∆ by (F R). Subcase Γ ` P : A0 ∧ A00 , ∆. The procedure recurses with Γ ` P : A0 , ∆ and Γ ` P : A00 , ∆. If both recursive calls succeeds, the procedure builds a derivation for Γ ` P : A0 ∧ A00 , ∆ by (∧ R), otherwise it fails. Subcase Γ ` P : A0 ⇒ A00 , ∆. The procedure recurses with Γ, P : A0 ` P : A00 , ∆. If the recursion fails, it fails; if the recursion succeeds with a derivation for Γ, P : A0 ` P : A00 , ∆, it produces a derivation for Γ, P : A0 ⇒ A00 ` ∆ by (⇒ R). Subcase Γ ` P : 0, ∆. If P ≡ 0 (a decidable test) the procedure returns with the derivation Γ ` P : 0, ∆ by (0 R), otherwise it recurses with Γ ` ∆. If the recursion fails, it fails; if it succeeds with a derivation for Γ ` ∆, it returns a derivation for Γ ` P : 0, ∆ by weakening. Subcase Γ ` P : A0 | A00 , ∆. The procedure computes the finite set T (P ), and for every hP 0 , P 00 i belonging to it, it recurses with Γ ` P 0 : A0 , ∆ and Γ ` P 00 : A00 , ∆. If one pair of recursive calls succeeds, the procedure builds a derivation for Γ ` P : A0 | A00 , ∆ by (| R), otherwise it fails. Subcase Γ ` P : A0 . A00 , ∆. The procedure computes the finite set T (A0 . A00 ), and for every P 0 belonging to it, it recurses with Γ, P 0 : A0 ` P 0 | P : A00 , ∆. If all these recursive calls are successful, the procedure builds a derivation for Γ ` P : A0 . A00 , ∆ by (. R), otherwise it fails. Subcase Γ ` P : n[A0 ], ∆. The procedure computes the finite set T (n, P ). If T (n, P ) is empty, then it recurses with Γ ` ∆; if the recursion fails the procedure fails, and if it succeeds with a derivation for Γ ` ∆, the procedure returns a derivation for Γ ` P : n[A0 ], ∆ by weakening. If T (n, P ) is not empty, then for every P 0 belonging to it, the procedure recurses with Γ ` P 0 : A0 , ∆. If one of the recursive calls succeeds, the procedure builds a derivation for Γ ` P : n[A0 ], ∆ by (n[] R), otherwise it fails. Subcase Γ ` P : A0 @n, ∆. The procedure recurses with Γ ` n[P ] : A0 , ∆. If the recursive call succeeds, the procedure builds a derivation for Γ ` P : A0 @n, ∆ by (@n R), otherwise it fails. 2 23
By combining Lemma 4 and Theorems 3 and 4, we equate the validity problem to a particular proof search problem. Corollary 2 vld(A) if and only if ` 0 : T . A has a derivation. Hence, by Theorem 5, we obtain an algorithm for validity based on deduction.
5
A Language for Manipulating Trees
We describe a typed λ-calculus that manipulates tree data. The type system of this calculus has, at its basis, tree types. Function types are built on top of the tree types in standard higher-order style. The tree types, however, are unusual: they are the formulas of our logic. Therefore, we can write types such as: T → ¬0 ((A ∧ ¬0) | n[B]) → (n[A] | B) Logical operators can be applied only to tree types, not to higher-order types. A subtyping relation is defined between types. On tree types, subtyping is defined as validity of logical implication; that is, A
